AWS Certified Developer – Associate (DVA-C02) — Question 502

A company is building an application to accept data from customers. The data must be encrypted at rest and in transit.

The application uses an Amazon API Gateway API that resolves to AWS Lambda functions. The Lambda functions store the data in an Amazon Aurora MySQL DB cluster. The application worked properly during testing.

A developer configured an Amazon CloudFront distribution with field-level encryption that uses an AWS Key Management Service (AWS KMS) key. After the configuration of the distribution, the application behaved unexpectedly. All the data in the database changed from plaintext to ciphertext.

The developer must ensure that the data is not stored in the database as the ciphertext from the CloudFront field-level encryption.

Which solution will meet this requirement?

Answer options

• A. Change the CloudFront Viewer protocol policy from “HTTP and HTTPS” to “HTTPS only.”
• B. Add a Lambda function that uses the KMS key to decrypt the data fields before saving the data to the database.
• C. Enable encryption on the DB cluster by using the same KMS key that is used in CloudFront.
• D. Request and deploy a new SSL certificate to use with the CloudFront distribution.

Correct answer: B

Explanation

CloudFront field-level encryption encrypts sensitive data fields at the edge, meaning the payload arrives at the origin (API Gateway and Lambda) in ciphertext. To store the data as plaintext, the Lambda function must decrypt the fields using the corresponding AWS KMS key before writing them to the Aurora database. Options A, C, and D do not address the application-level decryption required for field-level encrypted payloads.