AWS Certified Machine Learning Engineer – Associate (MLA-C01) — Question 124

A company stores training data as a .csv file in an Amazon S3 bucket. The company must encrypt the data and must control which applications have access to the encryption key.

Which solution will meet these requirements?

Answer options

• A. Create a new SSH access key. Use the AWS Encryption CLI with a reference to the new access key to encrypt the file.
• B. Create a new API key by using the Amazon API Gateway CreateApiKey API operation. Use the AWS CLI with a reference to the new API key to encrypt the file.
• C. Create a new IAM role. Attach a policy that allows the AWS Key Management Service (AWS KMS) GenerateDataKey action. Use the role to encrypt the file.
• D. Create a new AWS Key Management Service (AWS KMS) key. Use the AWS Encryption CLI with a reference to the new KMS key to encrypt the file.

Correct answer: D

Explanation

The correct answer is D because creating a new AWS KMS key allows for the encryption of data while also providing the ability to control access to the key through IAM policies. Options A and B are incorrect as they do not involve AWS KMS and do not provide the necessary encryption capabilities. Option C is incorrect because while it mentions IAM roles and permissions, it does not directly involve the encryption process with KMS keys.