Answer - A and D.
This is also mentioned in the AWS Documentation.
There are two ways to configure server-side encryption for Amazon S3 artifacts.
AWS CodePipeline creates an Amazon S3 artifact bucket and default AWS-managed SSE-KMS encryption keys when creating a pipeline using the Create Pipeline wizard.
The master key is encrypted along with object data and managed by AWS.
You can create and manage your own customer-managed SSE-KMS keys.
Options B and C are incorrect since this needs to be configured at the S3 bucket level.