In your organization, a customer-managed key named TestCMK has been created for a new project. This key is supposed to be used only by related AWS services in this project including EC2 and RDS in region us-west-2. For security concerns, you need to make sure that no other services can encrypt or decrypt using this particular CMK. In the meantime, EC2 and RDS should use the key without issues. How should you implement this?

Answer options:

A.Attach an IAM policy to each IAM user to deny kms:Encrypt and kms:Decrypt if the key is TestCMK.
B.Configure an IAM service role to allow kms:Encrypt and kms:Decrypt if the key is TestCMK. Attach the IAM role to EC2 and RDS instances.
C.Configure a key policy for this CMK. Use kms:ViaService to check if the request comes from ec2.us-west-2.amazonaws.com or rds.us-west-2.amazonaws.com.
D.Configure a key policy for this CMK. Use kms:ValidTo to check if the request comes from EC2 or RDS services.

Answer: C
Option A is incorrect because this solution cannot ensure that only EC2 or RDS can use this CMK.
Option B is incorrect because other services may be able to use the CMK if the role is being attached.
Option C is CORRECT Because kms:ViaService is the correct key condition to filter that only EC2 and RDS can use the CMK. For example, the below condition can be added to the key policy:
"Condition": {
"ForAnyValue:StringEquals": {
"kms:ViaService": [
"ec2.us-west-2.amazonaws.com",
"rds.us-west-2.amazonaws.com"
]
}
}
Option D is incorrect because kms: ValidTo is a condition to determine when the imported key material expires. It would not work for the current scenario.
For more details on AWS KMS CMK, kindly refer to the URL below:
https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html.