Your company has created a set of keys using the AWS KMS service. They need to ensure that each key is only used for certain services. For example, they want one key to be used only by the S3 service. How can this be achieved?

Answer options:

A.Create an IAM policy that allows the key to be accessed by only the S3 service.
B.Create a bucket policy that allows the key to be accessed by only the S3 service.
C.Use the kms:ViaService condition in the Key policy.
D.Define an IAM user, allocate the key and then assign the permissions to the required service.

Answer: C
Option A is incorrect because mapping keys to services cannot be done via the IAM policy.
Option B is incorrect because mapping keys to services cannot be done via the bucket policy.
Option C is CORRECT because the km: ViaService condition key limits the use of a customer-managed CMK to requests from particular AWS services. (AWS managed CMKs in your account, such as aws/s3, are always restricted to the AWS service that created them.)
Option D is incorrect because the requirement states each particular key should only be accessed by specific services and not specific IAM users.
For more information on KMS key policy, kindly refer to the following URL:
https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html