web application: is it safe to store user-loaded ID scans in S3 (with server encryption)?

Currently my web application stores ID scans loaded by the user in S3. I'm worried about an eventual data leak.

The S3 package is encrypted with server-side encryption (AES-256) but I think the next obvious risk is that an attacker gains access to the AWS account. I have secured the root account with 2FA, but there are several user accounts that still have full access to S3 (such as a Travis CI account).

The solution I am thinking about is periodically moving ID scans to a different source with client-side encryption (where only I know the private key). That way, if a leak occurs, only a small amount of data will be filtered.

Is this a common practice or are there better solutions in this situation?