AWS Certified Security – Specialty — Question 212

A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?

Answer options

• A. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
• B. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
• C. Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.
• D. Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

Correct answer: D

Explanation

The correct answer is D because storing the encrypted data key alongside the encrypted data allows for straightforward decryption using the Decrypt API, maintaining a secure architecture. Option A is incorrect as retrieving the unencrypted data key directly from KMS is not secure. Option B is also insecure because storing plaintext data keys in DynamoDB, even with IAM protections, increases vulnerability. Option C complicates the process unnecessarily by encrypting the data key again, which isn't needed when using KMS effectively.