Exam AWS Certified Developer Associate topic 1 question 117 discussion

GenerateDataKev spelling error bros 👊

For the exam: anything over 4 KB of data that needs to be encrypted must use the Envelope Encryption == GenerateDataKey API So, the correct answer is B

D is incorrect because it encrypts small data not exceeding 4kb B is correct where we generate a data key and use Envelope encryption https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html

D is incorrect because it encrypts small data not exceeding 4kb B is correct where we generate a data key and use Envelope encryption https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html

Answer is D - since passing the data to KMS will encrypt the data Option C - This will just provide you the key for further encryption

To be able to perform the encryption it should be D.

To perform encryption on the data before sending it downstream in a Lambda function, you would use option D: Pass the data to KMS as part of the Encrypt API for encryption. AWS Key Management Service (KMS) provides a service API called Encrypt, which is used to encrypt plaintext data using a customer master key (CMK) managed by KMS. The Encrypt API call takes the plaintext data as input and returns the ciphertext, which represents the encrypted data. In your scenario, you would pass the data to KMS using the Encrypt API to encrypt it before sending it downstream. This ensures that the data is protected while in transit to the downstream service. You can specify the CMK to be used for encryption, and KMS will handle the encryption process using the specified key.

D is the answer here. Option B is incorrect. The GenerateDataKey API is used to generate an encrypted data key that can be used to encrypt or decrypt data, but it does not actually perform encryption itself. The data key would need to be used with a separate encryption method, such as AWS Encryption SDK or an encryption algorithm like AES, to encrypt the data.

Answer should be Option D as B and C get you the encryption key. They are no the API calls for encrypting data.

why not d? I can't understand it. Option B is for files which size is over 4MB and option D is the most suitable answer for me.

B is correct

why not C? KMS only supports a max of kb of data for encryption and the questions says 1MB

B. Use the KMS GenerateDataKey API to get an encryption key.

B. https://docs.aws.amazon.com/kms/latest/developerguide/programming-encryption.html The examples in this topic use the Encrypt, Decrypt, and ReEncrypt operations in the AWS KMS API. These operations are designed to encrypt and decrypt data keys. They use an AWS KMS keys in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. Although you might use them to encrypt small amounts of data, such as a password or RSA key, they are not designed to encrypt application data.

Ans: B

I think is B

C. A more secured option since lambda needs to process data before encrypting the data