AWS Certified Security - Specialty (#134)

A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext. Which action would provide the required functionality?

Pass the key alias to AWS KMS when calling
Encrypt
and
Decrypt
API actions.
Use IAM policies to restrict access to
Encrypt
and
Decrypt
API actions.
Use
kms:EncryptionContext
as a condition when defining IAM policies for the CMK.
Use key policies to restrict access to the appropriate IAM groups.