Step-by-Step Breakdown:

Requirement Summary:

In-transit encryption (when data is moving between client and S3)

Encryptionat rest using AWS KMS keys(which arerotatableon-demand)

Option A: Write an S3 bucket policy to allow only encrypted connections over HTTPS by using permissions boundary

❌Incorrect: Permissions boundaries are for IAM policy control, not S3 bucket policies.

Also, encryption enforcement in-transit is not achieved through permissions boundaries.

Option B: Configure an S3 bucket policy to enable client-side encryption

❌Incorrect: AWS doesnotenforce client-side encryption via S3 bucket policies.

Client-side encryption must be handled entirely by the application.

Also, KMS is forserver-side encryption, not client-side.

Option C: Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects

✅Correct: This fulfills the requirement of encrypting objectsat restusing aKMS CMK, which can be rotated.

You can specify the KMS key using the SSE-KMS option when putting an object.

Option D: Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the aws:SecureTransport condition

✅Correct: This enforcesin-transit encryption, which ensures that only HTTPS connections are allowed.

This is the AWS-recommended way to enforce encryption in transit via bucket policy.

Option E: Configure S3 Block Public Access settings for the S3 bucket to allow only encrypted connections over HTTPS

❌Incorrect: Block Public Access is used to prevent public exposure of the bucket.

It hasnothing to do with encryption enforcement, whether in transit or at rest.

Using SSE-KMS:https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

aws:SecureTransport condition in bucket policies:https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html

Server-side encryption with AWS KMS:https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html