DVA-C02 · Question #524
An AWS Lambda function generates a 3 MB JSON file and then uploads it to an Amazon S3 bucket daily. The file contains sensitive information, so the developer must ensure that it is encrypted before up
The correct answer is C. Use the GenerateDataKey API, then use that data key to encrypt the file in the Lambda function. Client-side encryption using a KMS-generated data key ensures the file is encrypted within the Lambda function before it is transmitted to S3.
Question
An AWS Lambda function generates a 3 MB JSON file and then uploads it to an Amazon S3 bucket daily. The file contains sensitive information, so the developer must ensure that it is encrypted before uploading to the bucket. Which of the following modifications should the developer make to ensure that the data is encrypted before uploading it to the bucket?
Options
- AUse the default AWS Key Management Service (AWS KMS) key for Amazon S3 in the Lambda
- BUse the S3 managed key and call the GenerateDataKey API to encrypt the file.
- CUse the GenerateDataKey API, then use that data key to encrypt the file in the Lambda function
- DUse an AWS Key Management Service (AWS KMS) customer managed key for Amazon S3 in
How the community answered
(27 responses)- A15% (4)
- B7% (2)
- C74% (20)
- D4% (1)
Why each option
Client-side encryption using a KMS-generated data key ensures the file is encrypted within the Lambda function before it is transmitted to S3.
Using the default KMS key for S3 enables server-side encryption (SSE-KMS), meaning S3 performs the encryption after receiving the data; the file is transmitted in plaintext and is not encrypted before upload.
S3 managed keys (SSE-S3) are controlled by AWS and cannot be used with the `GenerateDataKey` API for client-side encryption; this would still result in server-side encryption.
The AWS KMS `GenerateDataKey` API returns both a plaintext data key and an encrypted copy of that key. The Lambda function uses the plaintext key to encrypt the JSON file locally (client-side), then uploads the ciphertext to S3 along with the encrypted data key. This guarantees the data is encrypted before it ever leaves the Lambda execution environment.
Configuring a customer managed key for S3 also enables server-side encryption at the S3 level, so the file is not encrypted before being uploaded.
Concept tested: Client-side encryption with KMS GenerateDataKey API
Source: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
Community Discussion
No community discussion yet for this question.