A financial services company aims to protect its customer data by ensuring it is always encrypted while stored in Amazon S3. The company seeks a solution managed by AWS that provides them the ability to fully control the creation, rotation, and removal of the encryption keys.

Given this requirement, as a Developer Associate, which of the following solutions would you recommend to meet this use-case?