A company wants to encrypt S3 objects so that only specific IAM roles can decrypt them, even if someone gains S3 bucket access. Which KMS feature best satisfies this requirement?
-
A
S3 default encryption with SSE-S3
-
B
SSE-KMS with a customer managed key and a restrictive key policy
-
C
S3 Object Lock in compliance mode
-
D
SSE-C with a client-provided key