We can grant encrypt permission to testuser and then use it to encrypt as follows:

1. Grant encrypt permission to testuser using the create-grant subcommand by providing the user's ARN:

aws kms create-grant 
    --key-id 1ab77c7a-7ca4-4387-a4c5-2fba3cb5c0f5 
    --grantee-principal arn:aws:iam::135301570106:user/testuser 
    --operations "Encrypt" 
    --profile awssecadmin

We should get a response similar to the one shown in the following screenshot:

We can get the user's ARN from the IAM dashboard or prepare one based on the preceding format. We can also use the following command to get the user's ARN from the console:

aws iam get-user 
    --user-name testuser 
    --profile awssecadmin

This command will return a response similar to the following:

2. Encrypt data with the testuser user:

aws kms encrypt 
    --plaintext "hello 3" 
    --key-id 1ab77c7a-7ca4-4387-a4c5-2fba3cb5c0f5 
    --profile testuser

This time, we should get a successful response, as follows:

3. Verify the grants for the key using the following command:

aws kms list-grants 
    --key-id 1ab77c7a-7ca4-4387-a4c5-2fba3cb5c0f5 
    --profile awssecadmin

This should return a response similar to the following:

4. Revoke the grant by providing the grant ID:

aws kms revoke-grant 
    --key-id 1ab77c7a-7ca4-4387-a4c5-2fba3cb5c0f5 
    --grant-id 3a128e48932ebb663ed0cc2c8285de7e1d03171dcd9ab2fc37cfba1605bea2fe 
    --profile awssecadmin

5. Verify that the grant has been revoked by trying to encrypt it using testuser and by running the list-grants subcommand.

Running the encrypt command from step 2 will provide the following output:

Running the encrypt subcommand from step 3 will provide the following output:

Similarly, we can also grant permission for other operations as well.