AWS Certified Developer Associate (#30)

A Developer is storing sensitive documents in Amazon S3 that will require encryption at rest. The encryption keys must be rotated annually, at least. What is the easiest way to achieve this?

Encrypt the data before sending it to Amazon S3
Import a custom key into AWS KMS with annual rotation enabled
Use AWS KMS with automatic key rotation
Export a key from AWS KMS to encrypt the data