A company has many microservices that are comprised of AWS Lambda functions.

Comprehensive and Detailed Step-by-Step Explanation:

Customer Managed Keys (CMK) for Granular Control (Option B):

Customer-managed KMS keys are required to meet the security policy requirement of team-specific control over KMS key rotation. Each team can manage the lifecycle of its own key.

The kms:Decrypt permission allows the Lambda function execution roles to decrypt the environment variables during runtime.

This solution adheres to the principle of least privilege and satisfies the need for team-specific key control.

Why Other Options Are Incorrect:

Option A:AWS-managed keys cannot provide team-specific control or support the custom rotation policy required by the teams.

Option C:Adding kms:CreateGrant and kms:Encrypt permissions to Lambda roles is unnecessary for this scenario. The key usage is limited to decryption at runtime.

Option D:AWS-managed keys still lack team-specific control, and adding kms:CreateGrant and kms:Encrypt is redundant.