What is the MOST efficient way to manage access control for the KMS CMK7?
Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.
Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross- account vendor access.
Explanations:
KMS grants are well-suited for managing access to KMS keys in a fine-grained, programmatic manner, allowing specific principals from vendor accounts access without modifying the key policy. Grants can be created and revoked as needed, making it efficient for dynamically changing vendor access.
While IAM roles can manage access policies, updating IAM role policies frequently for cross-account access is complex and not as efficient as using KMS grants for key management.
Updating KMS key policies to add or remove vendor access is feasible but less efficient and scalable than using grants, especially given frequent access changes.
Delegated access with IAM roles could work, but frequently updating trust policies is complex and less efficient than using KMS grants directly for KMS access control.