Correct Answer: Use server-side encryption with AWS KMS customer-managed keys, with automatic annual rotation enabled.

Explanation:
The most operationally efficient and compliant solution is to use SSE-KMS with automatic key rotation. AWS KMS integrates tightly with S3 to manage encryption at rest, and it supports automatic annual key rotation, which satisfies the requirement for rotating keys every year without manual intervention. KMS also logs all key usage in AWS CloudTrail, meeting the auditing requirement.

Why the other options are incorrect:

SSE-C requires the customer to manage key delivery and encryption entirely on their own. It provides no automatic logging and introduces significant operational burden.
SSE-S3 handles encryption at rest but uses keys managed entirely by Amazon S3 and does not allow key usage logging or rotation controlviolating the compliance requirement.
SSE-KMS with manual rotation meets the auditability requirement but requires additional effort to rotate keys annually, reducing operational efficiency compared to automatic rotation.

Full AWS Practitioner Certification Question