DVA-C02 · Question #252
DVA-C02 Question #252: Real Exam Question with Answer & Explanation
The correct answer is A: Create a data key in AWS Key Management Service (AWS KMS). Use the AWS Encryption SDK. The AWS Encryption SDK combined with a KMS-generated symmetric data key enables client-side, symmetric encryption of files before they are uploaded to S3.
Question
A developer is writing an application to encrypt files outside of AWS before uploading the files to an Amazon S3 bucket. The encryption must be symmetric and must be performed inside the application. How can the developer implement the encryption in the application to meet these requirements?
Options
- ACreate a data key in AWS Key Management Service (AWS KMS). Use the AWS Encryption SDK
- BCreate a Hash-Based Message Authentication Code (HMAC) key in AWS Key Management
- CCreate a data key pair in AWS Key Management Service (AWS KMS). Use the AWS CLI to
- DCreate a data key in AWS Key Management Service (AWS KMS). Use the AWS CLI to encrypt
Explanation
The AWS Encryption SDK combined with a KMS-generated symmetric data key enables client-side, symmetric encryption of files before they are uploaded to S3.
Common mistakes.
- B. HMAC keys provide message integrity and authentication, not encryption; they cannot be used to encrypt file contents.
- C. Data key pairs in KMS are asymmetric (RSA or ECC), which contradicts the requirement for symmetric encryption.
- D. Using the AWS CLI to encrypt sends data to the KMS service endpoint; local client-side encryption requires the Encryption SDK, not the CLI.
Concept tested. Client-side symmetric encryption with KMS data key and Encryption SDK
Reference. https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html
Community Discussion
No community discussion yet for this question.