We as the partner suggested to encrypt S3 buckets with SSE-KMS and provide bucket policies that enforce all relevant security settings like encryption in-transit and at-rest, access controls and bucket access points. The additional challenge was to provide a way to serve encrypted PII content to authorized requests via CloudFront.
Partner developed a Lambda@Edge function that signs authorized requests accordingly with Sigv4 and delivers encrypted data from S3 buckets. Further SecretsManager and Lambda was used to rotate and provide signing certificates for URL signing and public key rotation with the associated CloudFront distributions.