Which combination of steps will meet these requirements?

Explanations:

Updating the default KMS key to allow only the Lambda function’s execution role to decrypt would restrict access at the KMS key level, but it does not specifically enforce the least privilege principle as the default KMS key is used by all services in the account. This may inadvertently allow other roles or services to access the key.

Creating a KMS customer managed key specifically for the Lambda function’s execution role allows for fine-grained access control. By trusting Secrets Manager and allowing only the Lambda function’s execution role to decrypt the key, it adheres to the principle of least privilege and ensures that only the necessary permissions are granted.

Allowing the account’s root principal to decrypt the customer managed key does not follow the least privilege principle, as the root account has full access to all resources in the account. This exposes the key to more permissions than necessary, increasing the risk of unauthorized access.

Ensuring that the Lambda function’s execution role has KMS permissions scoped at the resource level aligns with the principle of least privilege. Configuring these permissions allows the role to access only the specific KMS key used for the Secrets Manager secret, without granting broader permissions.

Removing all KMS permissions from the Lambda function’s execution role would prevent the function from accessing the encrypted secrets in Secrets Manager altogether, which is not a viable solution for maintaining functionality. The role needs specific permissions to access the KMS key used for decryption.