A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor AWS Dumps authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements? Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define AWS Dumps the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CM Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy.