You are designing a data lake for the analysis of financial data. The system consists of a data ingestion component utilizing AWS Kinesis and a storage component utilizing AWS S3. The data in Kinesis is encrypted by a CMK managed using AWS KMS. What is the best way to ensure that the CMK is only used by the AWS Kinesis service?

Answer options:

A.Update the S3 bucket policy to allow access to the S3 bucket to the requests coming from AWS Kinesis Interface VPC endpoint using IAM Policy Condition:
"Condition": {
 "StringEquals": {
 "aws:sourceVpce": "vpce-1a2b3c4d" }
}
B.Update the S3 bucket ACL to provide WRITE grant to the Log Delivery group.
C.Update the AWS KMS Key Policy using kms:ViaService condition:"Condition": {
"StringEquals": {
"kms:ViaService": "kinesis.AWS_region.amazonaws.com" }
 }
D.Update the AWS Kinesis IAM Role to allow encryption in S3 bucket using SSE-C:
"Statement":[
{"Sid":"KinesisWritePermissions",
 "Effect":"Allow",
 "Principal": "*",
 "Action":"s3:encrypt-sse-c",
 "Resource":["arn:aws:s3:::examplebucket/*"]
 }
 ]

Answer: C
Option A is incorrect because Interface VPC Endpoints are used to integrate S3 with VPC.Option B is incorrect because S3 ACL is used to restrict access to individual objects. Log Delivery Group is used for server access logging.
Option C is CORRECT because the condition key limits the use of an AWS KMS customer master key (CMK) to requests from specified AWS services.
Option D is incorrect because there is no encrypt-SSE-C action on S3.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service