AWS Certified Developer – Associate — Question 10

A Developer is working on an application that handles 10MB documents that contain highly-sensitive data. The application will use AWS KMS to perform client- side encryption.
What steps must be followed?

Answer options

• A. Invoke the Encrypt API passing the plaintext data that must be encrypted, then reference the customer managed key ARN in the KeyId parameter
• B. Invoke the GenerateRandom API to get a data encryption key, then use the data encryption key to encrypt the data
• C. Invoke the GenerateDataKey API to retrieve the encrypted version of the data encryption key to encrypt the data
• D. Invoke the GenerateDataKey API to retrieve the plaintext version of the data encryption key to encrypt the data

Correct answer: D

Explanation

The correct answer is D because the GenerateDataKey API is designed to provide the plaintext version of the data encryption key that can be used directly to encrypt the sensitive data. Options A and B are incorrect because they either do not retrieve the correct key type or do not utilize it properly for encryption. Option C is incorrect as it provides the encrypted version of the key rather than the plaintext version needed for encryption.