Not so much a question as feedback on the course. Grant tokens are only mentioned in passing in the topic on grants. I got a detailed question on this concept in my recent exam, and know for certain that I got it wrong. In preparation for the exam, I highly recommend reading the grant documentation https://docs.aws.amazon.com/kms/latest/developerguide/grants.html, but to explain grant tokens:
When a grant is created, the underlying permissions are applied on an "eventual consistency" basis. Once the grant is in effect, the user doesn’t need to pass any additional information to the cli/api in order to take advantage of the newly granted permissions. To ensure the user can use the grant immediately, the create grant api returns a grant token which can be used until the grant has taken effect.
Thanks for this. I think the "eventual consistency" applies to revoking grant too. When I tested this after revoking the grant, it seems that the user profile can still run kms encrypt. The AccessDenied error only appear after several minutes.