Correct answer:
Create an encrypted copy of the latest snapshot using AWS Key Management Service (AWS KMS), then restore a new RDS instance from that snapshot to replace the existing unencrypted instance.

Explanation:
Amazon RDS does not support enabling encryption on an existing unencrypted DB instance. The only way to move from an unencrypted RDS instance to an encrypted one is to create an encrypted copy of a snapshot and then restore a new RDS instance from that snapshot. This new instance will have encryption enabled, and future snapshots taken from it will also be encrypted automatically, thus meeting the security requirement.

Why the other options are incorrect:

Copying the RDS snapshots to Amazon S3 with SSE-KMS only encrypts the copy stored in S3, not the original RDS snapshot or the RDS instance. This approach does not address the requirement to encrypt the live database or future RDS-native snapshots.
Copying RDS snapshots to Amazon Elastic Block Store (EBS) and applying encryption is not a supported or practical method for managing RDS backups. RDS snapshots are not interchangeable with EBS volumes, and this would not apply encryption to the RDS environment itself.
RDS does not allow an unencrypted instance to be retroactively encrypted. Encryption must be enabled at creation time, either directly or via restoration from an encrypted snapshot. You cannot modify an existing unencrypted RDS instance to enable encryption in place.

Full AWS Practitioner Certification Question