AWS Certified Security – Specialty (SCS-C02) — Question 206

A company runs a cron job on an Amazon EC2 instance on a predefined schedule. The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) customer managed key with a key policy. The key policy and the EC2 instance role have the necessary configuration for this job.

Which process should the bash script use to encrypt the file?

Answer options

• A. Use the aws kms encrypt command to encrypt the file by using the existing KMS key.
• B. Use the aws kms create-grant command to generate a grant for the existing KMS key.
• C. Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.
• D. Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

Correct answer: A

Explanation

The correct answer is A because using the aws kms encrypt command directly encrypts the file with the existing KMS key, which is the intended action. Options B and C involve unnecessary steps that do not directly lead to file encryption, while D incorrectly suggests using an encrypted data key instead of the KMS key itself.