nerdexam
Amazon

DVA-C02 · Question #524

An AWS Lambda function generates a 3 MB JSON file and then uploads it to an Amazon S3 bucket daily. The file contains sensitive information, so the developer must ensure that it is encrypted before up

The correct answer is C. Use the GenerateDataKey API, then use that data key to encrypt the file in the Lambda function. Client-side encryption using a KMS-generated data key ensures the file is encrypted within the Lambda function before it is transmitted to S3.

Submitted by sofia.br· Mar 5, 2026Security

Question

An AWS Lambda function generates a 3 MB JSON file and then uploads it to an Amazon S3 bucket daily. The file contains sensitive information, so the developer must ensure that it is encrypted before uploading to the bucket. Which of the following modifications should the developer make to ensure that the data is encrypted before uploading it to the bucket?

Options

  • AUse the default AWS Key Management Service (AWS KMS) key for Amazon S3 in the Lambda
  • BUse the S3 managed key and call the GenerateDataKey API to encrypt the file.
  • CUse the GenerateDataKey API, then use that data key to encrypt the file in the Lambda function
  • DUse an AWS Key Management Service (AWS KMS) customer managed key for Amazon S3 in

How the community answered

(27 responses)
  • A
    15% (4)
  • B
    7% (2)
  • C
    74% (20)
  • D
    4% (1)

Why each option

Client-side encryption using a KMS-generated data key ensures the file is encrypted within the Lambda function before it is transmitted to S3.

AUse the default AWS Key Management Service (AWS KMS) key for Amazon S3 in the Lambda

Using the default KMS key for S3 enables server-side encryption (SSE-KMS), meaning S3 performs the encryption after receiving the data; the file is transmitted in plaintext and is not encrypted before upload.

BUse the S3 managed key and call the GenerateDataKey API to encrypt the file.

S3 managed keys (SSE-S3) are controlled by AWS and cannot be used with the `GenerateDataKey` API for client-side encryption; this would still result in server-side encryption.

CUse the GenerateDataKey API, then use that data key to encrypt the file in the Lambda functionCorrect

The AWS KMS `GenerateDataKey` API returns both a plaintext data key and an encrypted copy of that key. The Lambda function uses the plaintext key to encrypt the JSON file locally (client-side), then uploads the ciphertext to S3 along with the encrypted data key. This guarantees the data is encrypted before it ever leaves the Lambda execution environment.

DUse an AWS Key Management Service (AWS KMS) customer managed key for Amazon S3 in

Configuring a customer managed key for S3 also enables server-side encryption at the S3 level, so the file is not encrypted before being uploaded.

Concept tested: Client-side encryption with KMS GenerateDataKey API

Source: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice