In a serverless application, an API key is required for third-party authentication. The company seeks a secure method to integrate this key into AWS Lambda, with encryption managed by a customer-controlled AWS KMS key and restricted visibility to authorized entities. Which approach aligns with these criteria?