An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for diff...

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.
How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?