A company has an application that uses an Amazon S3 bucket for object storage. A developer needs to configure in-transit encryption for the S3 bucket. All the S3 objects containing personal data needs to be encrypted at rest with AWS Key Management Service (AWS KMS) keys, which can be rotated on demand.
Which combination of steps will meet these requirements? (Choose two.)
To ensure in-transit encryption for the S3 bucket, using the aws:SecureTransport condition in the S3 bucket policy to allow only encrypted connections over HTTPS is necessary. This guarantees that data is encrypted during transmission. Configuring the application to encrypt the objects with an AWS KMS customer managed key before uploading them to Amazon S3 satisfies the requirement for at-rest encryption with keys that can be rotated on demand.
C. Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects containing personal data to Amazon S3. D. Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the aws:SecureTransport condition.
To achieve the requirements of ensuring encryption in transit and at rest for the S3 bucket with AWS KMS keys, the most suitable steps are: D: Enforce HTTPS connections to ensure encryption in transit. C: Configure encryption with AWS KMS for encryption at rest.