What should the security engineer do to meet this requirement?
Create Lambda IAM users for each Lambda function. Attach an IAM policy that includes specific access permissions to use the KMS key.
Create a key grant for the Lambda service principal. Add or remove specific access permissions to use the KMS key.
Create a Lambda execution role that provides specific access permissions to use the KMS key for each Lambda function.
Configure each Lambda function to assume an IAM role that provides specific access permissions to use the AWS managed KMS key for Amazon S3.
Explanations:
IAM users are not necessary for Lambda functions. Instead, Lambda functions should assume execution roles to interact with AWS services, including KMS.
A key grant for the Lambda service principal does not provide the needed programmatic access control for each individual Lambda function. Instead, the Lambda functions should be assigned specific permissions through execution roles.
Creating a Lambda execution role for each Lambda function allows specific access permissions to the KMS key for each function. This is the correct way to provide granular permissions for Lambda functions.
Assuming an IAM role is not necessary if each Lambda function already has an execution role. The correct approach is to directly configure the execution role with the specific permissions needed to access the KMS key.
I structure that the answer is:
Create a Lambda execution role that provides specific access permissions to use the KMS key for each Lambda function.