You are the Security Administrator for your company. You have to set the Key Policies for a set of users for a set of CMK keys. These users are developers who need to have the ability to encrypt and decrypt large data files using CMK keys. Which of the following is the minimum set of permissions that should be applied in the Key policies?

Answer options:

A.Allow actions on kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey.
B.Allow actions on kms:Encrypt, kms:Decrypt, and kms:ReEncrypt*.
C.Allow actions on kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:Create*.
D.None of the above.

Answer – A
This is also mentioned as an example in the AWS Documentation.
Options B is INCORRECT because the user needs to have the ability to generate the data keys.
Option C is INCORRECT because you should not allow users to create keys.
For more information on key policies, please visit the below URL
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html