A data engineer is tasked with ensuring the encryption of sensitive customer data stored in Amazon S3 using AWS KMS. The company requires regular audits to track who accesses the encryption keys and when they are used. Which type of key should the data engineer choose to meet this requirement?