AWS Certified Developer – Associate (DVA-C02) — Question 448

An AWS Lambda function generates a 3 MB JSON file and then uploads it to an Amazon S3 bucket daily. The file contains sensitive information, so the developer must ensure that it is encrypted before uploading to the bucket.

Which of the following modifications should the developer make to ensure that the data is encrypted before uploading it to the bucket?

Answer options

• A. Use the default AWS Key Management Service (AWS KMS) key for Amazon S3 in the Lambda function code.
• B. Use the S3 managed key and call the GenerateDataKey API to encrypt the file.
• C. Use the GenerateDataKey API, then use that data key to encrypt the file in the Lambda function code.
• D. Use an AWS Key Management Service (AWS KMS) customer managed key for Amazon S3 in the Lambda function code.

Correct answer: C

Explanation

To perform client-side encryption before uploading to Amazon S3, the developer must use the AWS KMS GenerateDataKey API to obtain a data key, which is then used to encrypt the 3 MB file locally within the Lambda function. Options A, B, and D are incorrect because they either refer to server-side encryption methods or attempt to use KMS keys directly in the code without generating the required local data key for envelope encryption.