AWS Certified Developer – Associate — Question 323

A developer is writing an application to encrypt files outside of AWS before uploading the files to an Amazon S3 bucket. The encryption must be symmetric and must be performed inside the application.

How can the developer implement the encryption in the application to meet these requirements?

Answer options

• A. Create a data key in AWS Key Management Service (AWS KMS). Use the AWS Encryption SDK to encrypt the files.
• B. Create a Hash-Based Message Authentication Code (HMAC) key in AWS Key Management Service (AWS KMS). Use the AWS Encryption SDK to encrypt the files.
• C. Create a data key pair in AWS Key Management Service (AWS KMS). Use the AWS CL to encrypt the files.
• D. Create a data key in AWS Key Management Service (AWS KMS). Use the AWS CLI to encrypt the files.

Correct answer: A

Explanation

To perform symmetric client-side encryption within application code, generating a symmetric data key from AWS KMS and using the AWS Encryption SDK is the correct approach. HMAC keys are used for message authentication rather than encryption, and data key pairs are for asymmetric encryption. The AWS CLI is a command-line tool, making it unsuitable for performing encryption inside the application code.