A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which action would provide the required functionality?

A. Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions. B. Use IAM policies to restrict access to Encrypt and Decrypt API actions. C. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK. D. Use key policies to restrict access to the appropriate IAM groups.