A company replicates data between two S3 buckets in different regions using cross-region replication (CRR). The source bucket in eu-west-1 stores sensitive data encrypted with a customer-managed KMS key (SSE-KMS) . The destination bucket in eu-central-1 uses its own customer-managed KMS key for encryption. An IAM role is configured for replication. However, only unencrypted objects are being replicated successfully. Encrypted objects fail to replicate. What steps should the security team take to resolve the issue? (Select THREE.)