- You will be using Key-policy.
- You will be using grants on the master key.
- With the grant you will be using grant token, which is return by CreateGrant request, and you will pass this grant token to AWS KMS API call.
- Master keys are not secret, so that assigning and giving permissions on master keys are not logical.
Ans: A, C
Detailed Explanation: Yes, you can control who can access your customer managed master keys. There are two ways by which you can control
- Key Policy: In the key policy document you can add, modify or remove permissions who can access this master keys.
- Grants: Grants are the ways to control and check who can access the keys. They are alternate to key-policy. You can use grants to give long-term access which allows AWS principal to use your customer managed CMKs.
However, grants are not effective immediately that is what it is required for the question. Grants are eventually consistent. Grant to be effective immediately you will be using grant token and this token you can pass as part of AWS KMS API call, so that grants can become effective immediately.