Which encryption method in Amazon S3 ensures data at rest is encrypted and provides an audit trail for AWS KMS key usage as per company policy?