A company is planning to use the AWS KMS service for encryption and decryption of its underlying data. The company needs to ensure that they use their own key material to prove ownership.
Which of the following steps must be done in order to fulfill this requirement?

Answer options:

A.Use AWS Config to see where all the keys have been used.
B.Use kms:KeyOrigin condition key in key policy.
C.Consider disabling the keys being used.
D.Consider rotating the keys being used.

Answer: B
Option A is incorrect because AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources, but this would not provide key controls access to operations based on the value of the Origin property of the CMK that is created by or used in the operation.
Option B is CORRECT because you can use this condition key to control access to the CreateKey operation based on the value of the Origin parameter in the request. Valid values for Origin are AWS_KMS, AWS_CLOUDHSM, and EXTERNAL.
Option C is incorrect because disabling the key would not help with the key ownership definition and find its Origin if they belong to AWS_KMS, AWS_CLOUDHSM, and EXTERNAL.
Option D is incorrect because KMS key rotation provides a Cryptographic best practice of discouraging extensive reuse of encryption keys, but this would not help with the key ownership definition and find its Origin if they belong to AWS_KMS, AWS_CLOUDHSM, and EXTERNAL.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-key-origin