Soc2 Encryption at Rest in AWS S3
S3 comes with essentially 3 types of encryption at rest.
Server-side (AES256) with no keys
KMS with with AWS supplied key that can only rotate every 3 years
KMS with a Customer Management Key (CMK), that can be rotated once a year.
What is the minimal level of encrytion on S3 considered SOC2 compliant?