A Developer is working on an application that handles 10MB documents that contain highly-sensitive data. The application will use AWS KMS to perform client- side encryption. What steps must be followed?
A.
Invoke the Encrypt API passing the plaintext data that must be encrypted, then reference the customer managed key ARN in the KeyId parameter
B.
Invoke the GenerateRandom API to get a data encryption key, then use the data encryption key to encrypt the data
C.
Invoke the GenerateDataKey API to retrieve the encrypted version of the data encryption key to encrypt the data
D.
Invoke the GenerateDataKey API to retrieve the plaintext version of the data encryption key to encrypt the data
D. Invoke the GenerateDataKey API to retrieve the plaintext version of the data encryption key to encrypt the data
#> https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
#> When uploading an object—Using the customer master key (CMK) ID, the client first sends a request to AWS KMS for a CMK that it can use to encrypt your object data. AWS KMS returns two versions of a randomly generated data key:
#> 1. A plaintext version of the data key that the client uses to encrypt the object data
#> 2. A cipher blob of the same data key that the client uploads to Amazon S3 as object metadata
#> Note: The client obtains a unique data key for each object that it uploads.
C) - Correct - When you invoke GenerateDataKey, AWS KMS gives you two keys:
Plaintext DEK: This is the key you use to encrypt the actual data (in your case, the 10MB documents).
Encrypted DEK: This key is the encrypted version of the plaintext DEK, and it is what you will store alongside your encrypted data (not the plaintext version).
D) - D says: "Invoke the GenerateDataKey API to retrieve the plaintext version of the data encryption key to encrypt the data."
Yes, you do use the plaintext DEK to encrypt the data, but D doesn’t mention that you also need to store the encrypted version of the DEK (which is critical for securely managing the encryption key).
Without storing the encrypted version of the DEK, you would not be able to decrypt the data properly later. So, D doesn't fully cover the entire client-side encryption process, whereas C does.
Sorry "D" - The encrypted version of the key is not usable directly for encrypting the document. To encrypt the document, you need the plaintext version of the data encryption key. The encrypted key is useful for secure storage, but not for actual encryption.
out of what is other available options. The client application can run the following steps:
A request is made under a KMS key for a new data key. An encrypted data key and a plaintext version of the data key are returned.
Within the AWS Encryption SDK, the plaintext data key is used to encrypt the message. The plaintext data key is then deleted from memory.
The encrypted data key and encrypted message are combined into a single ciphertext byte array.
Generate a Data Encryption Key (DEK):
The client should use the GenerateDataKey API from AWS KMS to generate a DEK.
This API call returns both the plaintext DEK and an encrypted version of the DEK.
The correct answer is D.
Since it is a client-side encryption and the data is more than 1MB, we have the possibility to ask for a paintext version of the data encryption key by using the GenerateDataKey API. We can use this key to encrypt our data and then send the encrypted file to the Cloud
Correct answer is C here.
Option D is incorrect because retrieving the plaintext version of the data encryption key defeats the purpose of encrypting the data in the first place. Storing plaintext data encryption keys creates a vulnerability and exposes sensitive data.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
awscertified
Highly Voted 3 years, 4 months agomichaelaws
Highly Voted 3 years, 4 months agosumanshu
Most Recent 1 month, 3 weeks agosumanshu
1 month, 3 weeks agosumanshu
2 weeks, 3 days agoSD_CS
1 year agoAsmaZoheb
1 year agoa_win
1 year, 1 month agosara_exam_topics
1 year, 4 months agorcaliandro
1 year, 7 months agoSimran_07
1 year, 8 months agoSimran_07
1 year, 8 months agoSyre
1 year, 9 months agoGD_ZH
1 year, 11 months agomichele_scar
2 years agofabriciollf
2 years, 1 month agoAWSEXPERT42069
2 years, 6 months agoIvanyan
2 years, 9 months agomevlt
3 years, 1 month ago