A retail company is using Amazon S3 to store its sales data that is encrypted with an AWS Key Management Service (AWS KMS) customer-managed key. The company uses several AWS Lambda functions, each needing to access the sales data in the S3 bucket independently. A security engineer needs to ensure that each Lambda function has individual and restricted access permissions to the KMS key. Which solution should the security engineer implement to fulfill this requirement?