Answer – A and D
Options B and C are incorrect since these options cannot be used to encrypt the objects. Using an S3 bucket policy, you can enforce the encryption requirement when users upload objects.
Refer below URL for more details
https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/
The term `rest` means when data is resting (not in transition - while data is traveling to s3).
Server-side encryption - facilitates encryption at rest.
Client-side encryption - facilitates encryption both in transition and at rest.
You have three options depending on how you choose to manage the encryption keys:
SSE-S3 requires that Amazon S3 manage the data and master encryption keys.
SSE-C requires that you manage the encryption key.
SSE-KMS requires that AWS manage the data key, but you manage the master key in AWS KMS.
For more information, please refer to the following URL-
https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html
Amazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket. You can set default encryption on a bucket to encrypt all new objects when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS).
For more information on Server - Side encryption, please refer to the below URL-
https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
To know about default encryption (Option A), please refer to the below URL-
https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html