AWS KMS provides condition keys that can be used to tightly scope how and where a customer managed key can be used. According to the AWS Certified Security – Specialty Study Guide, the kms:ViaService condition key is specifically designed to restrict key usage to requests that originate from a particular AWS service in a specific Region.
By configuring the key policy to allow KMS cryptographic operations only when kms:ViaService equals s3..amazonaws.com, the security engineer ensures that the key can be used exclusively by Amazon S3. Even if other IAM principals have permissions to use the key, the key cannot be used by other services such as Amazon EC2, Amazon RDS, or AWS Lambda.
Option A is incorrect because AWS services do not assume identities in key policies. Options C and D modify IAM role policies, which do not control how a KMS key is used by AWS services. AWS documentation clearly states that service-level restrictions must be enforced at the KMS key policy level using condition keys.
This approach enforces strong separation of duties and limits blast radius, which aligns with AWS security best practices.
Referenced AWS Specialty Documents:
AWS Certified Security – Specialty Official Study Guide
AWS KMS Key Policy Condition Keys
AWS KMS Best Practices
