AWS Certified Developer – Associate (DVA-C02) — Question 279

A developer is writing an application that will retrieve sensitive data from a third-party system. The application will format the data into a PDF file. The PDF file could be more than 1 MB. The application will encrypt the data to disk by using AWS Key Management Service (AWS KMS). The application will decrypt the file when a user requests to download it. The retrieval and formatting portions of the application are complete.

The developer needs to use the GenerateDataKey API to encrypt the PDF file so that the PDF file can be decrypted later. The developer needs to use an AWS KMS symmetric customer managed key for encryption.

Which solutions will meet these requirements?

Answer options

• A. Write the encrypted key from the GenerateDataKey API to disk for later use. Use the plaintext key from the GenerateDataKey API and a symmetric encryption algorithm to encrypt the file.
• B. Write the plain text key from the GenerateDataKey API to disk for later use. Use the encrypted key from the GenerateDataKey API and a symmetric encryption algorithm to encrypt the file.
• C. Write the encrypted key from the GenerateDataKey API to disk for later use. Use the plaintext key from the GenerateDataKey API to encrypt the file by using the KMS Encrypt API.
• D. Write the plain text key from the GenerateDataKey API to disk for later use. Use the encrypted key from the GenerateDataKey API to encrypt the file by using the KMS Encrypt API.

Correct answer: A

Explanation

Because the PDF file size is over 1 MB, the standard KMS Encrypt API cannot be used directly as it has a payload limit of 4 KB. Instead, envelope encryption must be utilized by calling GenerateDataKey to obtain both a plaintext data key and an encrypted data key. The application must encrypt the file locally using the plaintext key and a symmetric encryption algorithm, discard the plaintext key from memory, and securely save the encrypted data key to disk alongside the ciphertext for future decryption.