Which solution meets these requirements with the LEAST overhead?
Export the CMK key material to an on-premises hardware security module (HSM). Give the application team access to the key material.
Edit the key policy that grants the security team access to the CMKs by adding the application team as principals. Revert this change when the application team no longer needs access.
Create a key grant to allow the application team to use the CMKs. Revoke the grant when the application team no longer needs access.
Create a new CMK by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the CMK.
Explanations:
Exporting the CMK key material to an on-premises HSM adds unnecessary complexity and overhead. It involves managing the key outside of AWS KMS and providing access to external systems, which is not the most efficient solution for temporary access.
Editing the key policy to add the application team as principals is a viable option but requires manual changes and oversight. Reverting the changes when access is no longer needed adds unnecessary overhead, as key policies are not designed for temporary access in this manner.
Creating a key grant is the most appropriate solution. AWS KMS grants allow for temporary and granular access control to CMKs. The grant can be revoked when the application team no longer needs access, minimizing overhead.
Generating key material on premises and importing it to AWS KMS whenever access is needed introduces unnecessary manual steps. The process is inefficient for temporary access and does not align with best practices for managing AWS KMS CMKs.