Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam DVA-C02 Topic 5 Question 16 Discussion

Actual exam question for Amazon's DVA-C02 exam
Question #: 16
Topic #: 5
[All DVA-C02 Questions]

A developer is writing an application that will retrieve sensitive data from a third-party system. The application will format the data into a PDF file. The PDF file could be more than 1 MB. The application will encrypt the data to disk by using AWS Key Management Service (AWS KMS). The application will decrypt the file when a user requests to download it. The retrieval and formatting portions of the application are complete.

The developer needs to use the GenerateDataKey API to encrypt the PDF file so that the PDF file can be decrypted later. The developer needs to use an AWS KMS symmetric customer managed key for encryption.

Which solutions will meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: A

The GenerateDataKey API returns a data key that is encrypted under a symmetric encryption KMS key that you specify, and a plaintext copy of the same data key1.The data key is a random byte string that can be used with any standard encryption algorithm, such as AES or SM42.The plaintext data key can be used to encrypt or decrypt data outside of AWS KMS, while the encrypted data key can be stored with the encrypted data and later decrypted by AWS KMS1.

In this scenario, the developer needs to use the GenerateDataKey API to encrypt the PDF file so that it can be decrypted later. The developer also needs to use an AWS KMS symmetric customer managed key for encryption. To achieve this, the developer can follow these steps:

Call the GenerateDataKey API with the symmetric customer managed key ID and the desired length or specification of the data key. The API will return an encrypted data key and a plaintext data key.

Write the encrypted data key to disk for later use. This will allow the developer to decrypt the data key and the PDF file later by using AWS KMS.

Use the plaintext data key and a symmetric encryption algorithm to encrypt the PDF file. The developer can use any standard encryption library or tool to perform this operation, such as OpenSSL or AWS Encryption SDK.

Discard the plaintext data key from memory as soon as possible after using it. This will prevent unauthorized access or leakage of the data key.


Contribute your Thoughts:

Jestine
8 months ago
Hmm, but I'm not sure about writing the encrypted key to disk. Wouldn't it be better to just use the plaintext key and the KMS Encrypt API to encrypt the file directly?
upvoted 0 times
...
Jeanice
8 months ago
Yeah, I agree. Options C and D seem to be the only ones that actually use the KMS Encrypt API, which is what the question is asking for.
upvoted 0 times
...
Alberta
8 months ago
I think the key requirement here is that we need to use the AWS KMS symmetric customer managed key for encryption. That rules out options A and B, which use a separate symmetric algorithm.
upvoted 0 times
Micah
8 months ago
User 1
upvoted 0 times
...
Stephaine
8 months ago
User 2
upvoted 0 times
...
Jackie
8 months ago
User 1
upvoted 0 times
...
...
Malinda
8 months ago
This is a tricky question. I'm not sure if I fully understand the requirements. Do we need to use the KMS Encrypt API or can we just use a symmetric encryption algorithm with the key from GenerateDataKey?
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77