A company is setting up an Amazon EKS cluster for a digital media streaming app, using managed node groups with Amazon EBS for storage. They require data at rest encryption using a customer-managed AWS KMS key with minimal operational overhead. Which two actions meet this requirement?