AWS Certified Security - Specialty (#129)

What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?

The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.
The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS.
The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.