AWS Certified Security – Specialty — Question 317

A company has a security team that manages its AWS Key Management Service (AWS KMS) CMKs. Members of the security team must be the only ones to administer the CMKs. The company's application team has a software process that needs temporary access to the CMKS occasionally. The security team must provide the application team’s software process access to the CMKs.

Which solution meets these requirements with the LEAST overhead?

Answer options

• A. Export the CMK key material to an on-premises hardware security module (HSM). Give the application team access to the key material.
• B. Edit the key policy that grants the security team access to the CMKs by adding the application team as principals. Revert this change when the application team no longer needs access.
• C. Create a key grant to allow the application team to use the CMKs. Revoke the grant when the application team no longer needs access.
• D. Create a new CMK by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the CMK.

Correct answer: C

Explanation

AWS KMS grants provide a lightweight, temporary delegation mechanism that allows programmatic access to CMKs without needing to constantly modify the key policy, minimizing administrative overhead. In contrast, editing the key policy introduces significant management overhead and risk, while exporting or importing key material adds unnecessary complexity and violates security best practices.