A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket that stores the files is configured for serverside encryption with S3 managed encryption keys (SSE-S3).
According to new security requirements, the company must control all encryption keys. Additionally, all objects in the S3 bucket must be encrypted by a key that the company controls. Which combination of steps must a security engineer take to meet these requirements? (Choose three.)
A. Create a new-customer managed CMK in AWS Key Management Service (AWS KMS).
B. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided encryption keys (SSE-C).
C. Configure the PHP SDK to use the SSE-S3 key to encrypt the data before the data is uploaded to Amazon S3.
D. Create an AWS managed CMK for Amazon S3 in AWS Key Management Service (AWS KMS).
E. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
F. Change all the S3 objects in the bucket to use the new encryption key.
