AWS Certified Developer – Associate — Question 347

When using the AWS Encryption SDK, how does the developer keep track of the data encryption keys used to encrypt data?

Answer options

• A. The developer must manually keep track of the data encryption keys used for each data object.
• B. The SDK encrypts the data encryption key and stores it (encrypted) as part of the returned ciphertext.
• C. The SDK stores the data encryption keys automatically in Amazon S3.
• D. The data encryption key is stored in the Userdata for the EC2 instance.

Correct answer: B

Explanation

The AWS Encryption SDK utilizes envelope encryption, meaning it encrypts the data encryption key (DEK) and stores this encrypted DEK directly in the metadata of the returned ciphertext. This removes the need for developers to manually track keys or store them in external locations like Amazon S3 or EC2 Userdata. When decrypting, the SDK extracts the encrypted DEK from the ciphertext and decrypts it using the master key.