Question

You have an application that needs to encrypt data using the KMS service. The company has already defined the customer master key in AWS for usage in the application.

Which of the following steps must be followed in the encryption process? Choose 2 answers from the options given below.

A. Use the GenerateDataKey to get the data key to encrypt the data.

B. Use CustomerMaster Key to encrypt the data.

C. Delete the plaintext data encryption key after the data is encrypted.

D. Delete the Customer Master Key after the data is encrypted.

Answer 1

Answer - A and C.

Options B and D are incorrect because you will not use the Customer Key to encrypt and decrypt data directly.

The AWS Documentation mentions the following.

We recommend that you use the following pattern to encrypt data locally in your application.

Use this operation (GenerateDataKey) to get a data encryption key.

Use the plaintext data encryption key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.

Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside the locally encrypted data.