AWS KMS grants are the ideal mechanism for providing temporary, programmatic access to KMS keys. A grant is a policy instrument that allows an AWS principal (such as an IAM role for the application's software process) to use a KMS key without modifying the key policy. The security team can create a grant for the application team's process when access is needed and then revoke it when the access is no longer required. This is managed via API calls (CreateGrant, RevokeGrant), making it the solution with the least operational overhead for temporary and occasional access, while maintaining the security team's administrative control over the key policy.

A. Exporting key material is a significant security risk, bypasses KMS auditing and controls, and is only possible for keys with imported material. It represents extremely high operational and security overhead.

B. Editing the key policy for temporary access is operationally inefficient, error-prone, and can be subject to policy update propagation delays. Grants are specifically designed to avoid this overhead.

D. Creating a new key and importing material for each temporary access request is unnecessarily complex, costly, and introduces significant operational overhead compared to using a grant on an existing key.

1. AWS KMS Developer Guide, "Using grants in AWS KMS": "A grant is a policy instrument that allows AWS principals to use AWS KMS keys... They are often used for temporary permissions because you can create them, use their permissions, and revoke them without changing your key policies or IAM policies." This directly supports the use of grants for temporary access with low overhead.

2. AWS KMS Developer Guide, "Managing access to AWS KMS keys": This section details the different access control mechanisms. It explains that grants are a way to delegate permissions, often programmatically, which is distinct from the more static key policy. This aligns with the scenario of a software process needing access.

3. AWS KMS API Reference, "CreateGrant": The documentation for the CreateGrant API action states, "You can use a grant to allow an AWS principal to use a KMS key... without modifying the key policy." This confirms the programmatic and low-overhead nature of the solution.

4. AWS KMS API Reference, "RevokeGrant": The documentation for the RevokeGrant action shows how permissions can be programmatically and immediately removed, fulfilling the requirement for temporary access. This is more efficient than reverting a policy change.