nerdexam
Amazon

DVA-C02 · Question #92

An application under development is required to store hundreds of video files. The data must be encrypted within the application prior to storage, with a unique key for each video file. How should the

The correct answer is C. Use the KMS GenerateDataKey API to get a data key. Encrypt the data with the data key. Store. Envelope encryption with KMS GenerateDataKey produces a unique plaintext data key per file for local encryption, stores only the encrypted copy of the key alongside the ciphertext, and never exposes the plaintext key at rest.

Submitted by katya_ua· Mar 5, 2026Development with AWS Services

Question

An application under development is required to store hundreds of video files. The data must be encrypted within the application prior to storage, with a unique key for each video file. How should the developer code the application?

Options

  • AUse the KMS Encrypt API to encrypt the data. Store the encrypted data key and data.
  • BUse a cryptography library to generate an encryption key for the application. Use the encryption
  • CUse the KMS GenerateDataKey API to get a data key. Encrypt the data with the data key. Store
  • DUpload the data to an S3 bucket using server side-encryption with an AWS KMS key.

How the community answered

(24 responses)
  • A
    13% (3)
  • B
    8% (2)
  • C
    75% (18)
  • D
    4% (1)

Why each option

Envelope encryption with KMS GenerateDataKey produces a unique plaintext data key per file for local encryption, stores only the encrypted copy of the key alongside the ciphertext, and never exposes the plaintext key at rest.

AUse the KMS Encrypt API to encrypt the data. Store the encrypted data key and data.

The KMS Encrypt API is limited to data up to 4 KB; it cannot directly encrypt large video files and does not implement envelope encryption with per-file unique keys.

BUse a cryptography library to generate an encryption key for the application. Use the encryption

Generating keys entirely within a cryptography library means the keys are never protected by KMS; key management, rotation, and auditing responsibilities fall entirely on the application, which is error-prone and non-compliant.

CUse the KMS GenerateDataKey API to get a data key. Encrypt the data with the data key. StoreCorrect

KMS GenerateDataKey returns both a plaintext data key and a KMS-encrypted copy of that key. The application uses the plaintext key to encrypt the video file locally, immediately discards the plaintext key from memory, and stores only the encrypted data key alongside the encrypted video. For each new file the process repeats, producing a unique key per file as required, while KMS retains the master key used to decrypt the data keys on demand.

DUpload the data to an S3 bucket using server side-encryption with an AWS KMS key.

S3 server-side encryption applies encryption at the storage layer, not within the application as required; additionally, SSE-KMS uses a single CMK for all objects unless explicitly configured per object, not guaranteeing a unique key per video file.

Concept tested: AWS KMS envelope encryption with GenerateDataKey

Source: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice