DVA-C02 · Question #764
DVA-C02 Question #764: Real Exam Question with Answer & Explanation
The correct answer is D: Create an AWS KMS customer managed key. Use envelope encryption to encrypt the PHI data.. For large PHI payloads, the most secure pattern is envelope encryption: the application generates a unique data key to encrypt the PHI locally with a symmetric algorithm, then uses an AWS KMS customer managed key to encrypt (wrap) that data key. The application stores the encrypt
Question
A developer is working on an application that will store protected health information (PHI) in an Amazon RDS database. The developer applies encryption to the database. The developer must also encrypt the PHI data separately to prevent administrators from accessing the data. Because some of the PHI data files are large, the developer must encrypt the PHI data in the application locally before saving the data to the database. Which solution will meet these requirements in the MOST secure way?
Options
- ACreate an AWS KMS customer managed key. Use the KMS Encrypt operation to encrypt the PHI
- BGenerate a 256-bit AES encryption key. Store the key in base64-encoded format in the
- CConfigure the database to use an AWS KMS managed key for encryption.
- DCreate an AWS KMS customer managed key. Use envelope encryption to encrypt the PHI data.
Explanation
For large PHI payloads, the most secure pattern is envelope encryption: the application generates a unique data key to encrypt the PHI locally with a symmetric algorithm, then uses an AWS KMS customer managed key to encrypt (wrap) that data key. The application stores the encrypted data key alongside the encrypted PHI so it can later decrypt the data key through KMS and decrypt the PHI. This provides strong separation of duties and avoids sending large data to KMS for direct encryption.
Community Discussion
No community discussion yet for this question.