A research institute stores encrypted genomic datasets in an Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS keys (SSE-KMS) to secure the sensitive data. A data scientist needs to use an Amazon SageMaker notebook instance to analyze the datasets stored in the bucket. The solution must ensure that the notebook instance can access the data in S3 bucket and decrypt the data using the KMS key, while adhering to AWS best practices for security and permissions. Which options can meet these requirements independently? (Select two)