The correct answer is B, which is to enable S3 server-side encryption on the S3 bucket. This is because server-side encryption ensures that the data is encrypted at rest, meaning it is protected even when it is stored in Amazon S3. The encryption uses a key that is stored separately from the data, adding an extra layer of security. While other options like cross-Region replication, AWS WAF, and Amazon GuardDuty are useful for enhancing security, they do not directly address the encryption of sensitive data at rest. Server-side encryption is a fundamental security best practice for protecting sensitive data in Amazon S3.