A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of `Sensitive,` `Confidential,` and `Restricted.` The ...

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of `Sensitive,` `Confidential,` and `Restricted.` The security solution must meet all of the following requirements:
- Each object must be encrypted using a unique key.
- Items that are stored in the `Restricted` bucket require two-factor authentication for decryption.
- AWS KMS must automatically rotate encryption keys annually.
Which of the following meets these requirements?