SCS-C02 · Question #234
SCS-C02 Question #234: Real Exam Question with Answer & Explanation
The correct answer is D: Use the aws kms generate-data-key command to generate a data key. Use the encrypted data. This is the appropriate approach for encrypting files with AWS KMS. The aws kms generate-data- key command generates a data encryption key (DEK) that includes both a plaintext version (used to encrypt the file) and an encrypted version of the key. The plaintext key is used to enc
Question
A company runs a cron job on an Amazon EC2 instance on a predefined schedule The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) customer managed key with a key policy. The key policy and the EC2 instance rote have the necessary configuration for this job. Which process should the bash script use to encrypt the file?
Options
- AUse the aws kms encrypt command to encrypt the file by using the existing KMS key.
- BUse the aws kms create-grant command to generate a grant for the existing KMS key.
- CUse the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt
- DUse the aws kms generate-data-key command to generate a data key. Use the encrypted data
Explanation
This is the appropriate approach for encrypting files with AWS KMS. The aws kms generate-data- key command generates a data encryption key (DEK) that includes both a plaintext version (used to encrypt the file) and an encrypted version of the key. The plaintext key is used to encrypt the file, and after encryption, the plaintext key should be discarded, and only the encrypted key is retained for future decryption. This method ensures that the KMS key is used securely without directly encrypting or decrypting the file using the KMS key itself.
Community Discussion
No community discussion yet for this question.