A company is preparing to deploy a data lake on AWS. A solutions architect must define the encryption strategy tor data at rest m Amazon S3/ The company's security policy states:
- Keys must be rotated every 90 days.
- Strict separation of duties between key users and key administrators must be implemented.
- Auditing key usage must be possible.
What should the solutions architect recommend?

A. Server-side encryption with AWS KMS managed keys (SSE-KMS) with customer managed customer master keys (CMKs) B. Server-side encryption with AWS KMS managed keys (SSE-KMS) with AWS managed customer master keys (CMKs) C. Server-side encryption with Amazon S3 managed keys (SSE-S3) with customer managed customer master keys (CMKs) D. Server-side encryption with Amazon S3 managed keys (SSE-S3) with AWS managed customer master keys (CMKs)