The requirement calls for encryption with keys the company controls. This is provided by server-side encryption that uses a customer-managed AWS KMS key (SSE-KMS with a CMK).

Step 1 – Set the bucket’s default encryption to SSE-KMS and select the company’s customer-managed CMK.

Step 2 – Add a bucket policy that denies PutObject requests lacking “x-amz-server-side-encryption":"aws:kms”.

Step 3 – Because versioning is disabled, copy (re-upload) every existing object so that S3 writes a new object encrypted with the CMK; the original unencrypted copies are overwritten.

This ensures all present and future objects are encrypted with company-managed keys.

A. SSE-S3 always uses Amazon-managed keys; customers cannot supply their own, so it fails the “company-managed key” requirement.

C. A bucket policy cannot “automatically encrypt” objects on GetObject; it can only enforce PutObject conditions. Existing objects remain with SSE-S3.

D. “AES-256 with a customer managed key” does not exist; AES-256 designates SSE-S3, which again uses Amazon-managed keys.

1. Amazon S3 User Guide – “Using server-side encryption with AWS Key Management Service (SSE-KMS)” (Section: Specifying a customer managed key) – https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

2. Amazon S3 User Guide – “Copying objects” (Section: Changing encryption of existing objects) – https://docs.aws.amazon.com/AmazonS3/latest/userguide/CopyingObjectUsingCLI.html

3. AWS KMS Developer Guide – “Customer managed keys” (Para 1) – https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk

4. Amazon S3 Bucket Policy Examples – “Deny unencrypted object uploads” – https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html#bucket-encryption-enforcing