What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?
Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.
Have each application assume an IAM role that provides permissions to use the AWS Certificate Manager CMK.
Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.
Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.
Explanations:
Changing the key policy each time an application needs access is not efficient and does not provide fine-grained access control. It is better to use IAM policies or grants for such use cases.
AWS Certificate Manager (ACM) CMK is unrelated to Amazon S3 and KMS CMKs. This option does not meet the requirement of managing permissions for KMS CMKs.
Using a grant allows each application to have specific programmatic access control over the KMS CMK. This provides a granular and flexible approach to manage access for multiple applications.
IAM policies can grant access to KMS CMKs, but this option does not provide the level of specificity needed to control programmatic access in the context of multiple applications accessing the same KMS CMK.
I rank that the answer is:
Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.