AWS Certified Security – Specialty — Question 307

A company runs a cron job on an Amazon EC2 instance on a predefined schedule. The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) CMK with a key policy. The key policy and the EC2 instance role have the necessary configuration for this job.

Which process should the bash script use to encrypt the file?

Answer options

• A. Use the aws kms encrypt command to encrypt the file by using the existing CMK.
• B. Use the aws kms create-grant command to generate a grant for the existing CMK.
• C. Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.
• D. Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

Correct answer: A

Explanation

Because the file size is only 2 KB, which is below the 4 KB limit for direct encryption with AWS KMS keys, the aws kms encrypt command can be used directly to encrypt the data. Generating a data key via envelope encryption is unnecessary for payloads under 4 KB, making Option D incorrect. Option B is incorrect because creating a grant does not perform encryption, and Option C is incorrect because aws kms encrypt is used for encrypting data directly rather than generating data keys.