A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use...

AWS KMS key policies can restrict how and when a key is used by applyingconditions such as kms:ViaService, which limits usage to requests that originate from a specific AWS service. According to the AWS Certified Security – Specialty Official Study Guide and AWS KMS documentation, the kms:ViaService condition is evaluated against the service that calls KMS on behalf of the principal.

Using StringEquals with kms:ViaService restricts usage toexactly one service endpoint. However, AWS services can invoke KMS throughservice variants, internal endpoints, or additional service integrations. When StringEquals is used, these variations can unintentionally bypass the condition, allowing the key to be used by other services through different internal service paths.

Changing the condition operator from StringEquals to StringLike ensures thatonly EC2-related service callsthat match the intended service pattern are allowed, while still preventing use by unrelated AWS services. This aligns with AWS guidance to use StringLike when service invocation patterns may vary.

Option B is incorrect because the root principal statement is required to retain administrative control over the key. Option C is invalid because changing Regions does not address unauthorized service usage. Option D does not restrict key usage and does not mitigate the issue.

AWS documentation explicitly recommendstightening condition operatorsin KMS key policies to prevent unintended service access while maintaining required functionality.

AWS Certified Security – Specialty Official Study Guide

AWS Key Management Service Developer Guide

AWS KMS Key Policy Best Practices