The three mechanisms for controlling KMS permissions are key policy (required, permanent), IAM policy (if delegated), and today's topic: grant (temporary, granular). Until yesterday we saw how data is encrypted; today we address access governance: "who, under what conditions, and for how long can use a key?" SCS-C03 frequently tests cross-account key sharing, the kms:ViaService condition, and grant operation.
While key policies and IAM give permissions "permanently via policy documents," grant is temporary permission delegated and revoked programmatically