As a Cloud Security Engineer, you perform a security audit of AWS services that your company is using. You have found that for customer master keys(CMKs) in KMS, the key policies are too open, allowing almost all services or users to use them. Take below key policy as an example:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/John"
},
"Action": "kms:CreateGrant",
"Resource": "*"
}
The user John can create grants on the key without any restriction. You want to create a condition in the key policy to ensure that the grant should only be created by integrated AWS services rather than the user himself. How should you achieve that?

Answer options:

A.Add the below condition in the key policy:
 "Condition": {
"Bool": {
"kms:ViaService": true
}
}
B.Add the below condition in the key policy:
 "Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
C.Add the below condition in the key policy:
 "Condition": {
"Bool": {
"kms:KeyOrigin": true
}
}
D.Add the below condition in the key policy:
 "Condition": {
"Bool": {
"kms:GranteePrincipal": true
}
}

Answer: B
Option A is incorrect because kms: ViaService limits the use of a CMK to requests from specified AWS services. It cannot work with the action of kms: CreateGrant.
Option B is CORRECT because when kms: GrantIsForAWSResource is true, only integrated AWS services can create grants.
Option C is incorrect because kms: KeyOrigin is used to control access to the CreateKey action based on the Origin parameter in the request. Valid values for Origin are AWS_KMS, AWS_CLOUDHSM, and EXTERNAL.
Option D is incorrect because kms: GranteePrincipal can control access to the CreateGrant operation. CreateGrant is allowed only when the GranteePrincipal parameter in the request matches that in the condition. It is not suitable for this scenario.
For more information, kindly refer to the below URL
https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-grant-is-for-aws-resource.