AWS Certified Developer – Associate (DVA-C02) — Question 540

A developer is building an application that stores sensitive user data. The application includes an Amazon CloudFront distribution and multiple AWS Lambda functions that handle user requests.

The user requests contain over 20 data fields. Each application transaction contains sensitive data that must be encrypted. Only specific parts of the application need to have the ability to decrypt the data.

Which solution will meet these requirements?

Answer options

• A. Associate the CloudFront distribution with a Lambda@Edge function. Configure the function to perform field-level asymmetric encryption by using a user-defined RSA public key that is stored in AWS Key Management Service (AWS KMS).
• B. Integrate AWS WAF with CloudFront to protect the sensitive data. Use a Lambda function and self-managed keys to perform the encryption and decryption processes.
• C. Configure the CloudFront distribution to use WebSockets by forwarding all viewer request headers to the origin. Create an asymmetric AWS KMS key. Configure the CloudFront distribution to use field-level encryption. Use the AWS KMS key.
• D. Configure the cache behavior in the CloudFront distribution to require HTTPS for communication between viewers and CloudFront. Configure GoudFront to require users to access the files by using either signed URLs or signed cookies.

Correct answer: A

Explanation

Because native Amazon CloudFront field-level encryption is restricted to a maximum of 10 data fields, using a Lambda@Edge function is required to handle requests containing over 20 fields. By utilizing Lambda@Edge to perform asymmetric encryption with an RSA public key stored in AWS KMS, the sensitive fields are securely encrypted at the edge, ensuring only authorized downstream services with the private key can decrypt them. Other options either do not support field-level encryption or cannot accommodate the 20-field requirement.