You have used a CMK to create a data key using the GenerateDataKey operation to encrypt your application`s data using envelope encryption. You have been asked to provide temporary secured access to external auditors so that they can audit the data stored. These auditors should be able to gain access to your data immediately. What is the most effective and efficient way of achieving this?

Answer options:

A.Download all data and send data via a secure courier.
B.Use key policies to assign decrypt access to auditors.
C.Use grants to assign decrypt access to auditors.
D.Use grant tokens after using grants with the decrypt and re-encrypt operation.

Answer: D
Option A is incorrect as this is not very efficient as it requires downloading all the data and then [physically transporting the data. This could cause exposure to theft and foul play, leading to tampered data not good for auditors.
Option B is not ideal as key policies are used for providing static permissions to data.
Option C is the next closest answer as it would be apt to provide temporary access. But since it`s eventually consistent, this access might not be immediate.
Option D is a CORRECT answer as grant tokens received from the CreateGrant request will mitigate potential delay and grant immediate access. Decrypt operation is needed for the auditors to decrypt and re-encrypt this data.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping