AWS Certified Security - Specialty (#36)

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access. What is the MOST efficient way to manage access control for the KMS CMK7?

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.
Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.