Amazon S3 is used for storing sensitive data that is generated by a serverless application. The data must be encrypted, and the company plans to use the AWS Key Management Service (KMS) to create and manage the encryption keys. The company’s security policies require that the company’s own key material is imported, and custom expiration dates are configured. How should the company configure AWS KMS?