Black Friday Mega Deal! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location
Mob_nav_barsMENU

Amazon DVA-C02 Exam - Topic 5 Question 16 Discussion

Actual exam question for Amazon's DVA-C02 exam
Question #: 16
Topic #: 5
[All DVA-C02 Questions]

A developer is writing an application that will retrieve sensitive data from a third-party system. The application will format the data into a PDF file. The PDF file could be more than 1 MB. The application will encrypt the data to disk by using AWS Key Management Service (AWS KMS). The application will decrypt the file when a user requests to download it. The retrieval and formatting portions of the application are complete.

The developer needs to use the GenerateDataKey API to encrypt the PDF file so that the PDF file can be decrypted later. The developer needs to use an AWS KMS symmetric customer managed key for encryption.

Which solutions will meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: A

The GenerateDataKey API returns a data key that is encrypted under a symmetric encryption KMS key that you specify, and a plaintext copy of the same data key1.The data key is a random byte string that can be used with any standard encryption algorithm, such as AES or SM42.The plaintext data key can be used to encrypt or decrypt data outside of AWS KMS, while the encrypted data key can be stored with the encrypted data and later decrypted by AWS KMS1.

In this scenario, the developer needs to use the GenerateDataKey API to encrypt the PDF file so that it can be decrypted later. The developer also needs to use an AWS KMS symmetric customer managed key for encryption. To achieve this, the developer can follow these steps:

Call the GenerateDataKey API with the symmetric customer managed key ID and the desired length or specification of the data key. The API will return an encrypted data key and a plaintext data key.

Write the encrypted data key to disk for later use. This will allow the developer to decrypt the data key and the PDF file later by using AWS KMS.

Use the plaintext data key and a symmetric encryption algorithm to encrypt the PDF file. The developer can use any standard encryption library or tool to perform this operation, such as OpenSSL or AWS Encryption SDK.

Discard the plaintext data key from memory as soon as possible after using it. This will prevent unauthorized access or leakage of the data key.


by Talia at Nov 25, 2023, 11:01 PM

Limited Time Offer

25%

Off

Get Premium DVA-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Filiberto
5 days ago
C looks good, but why not just use KMS directly for everything?
upvoted 0 times
...
Bernardo
11 days ago
I think B is risky, writing the plaintext key to disk? No way!
upvoted 0 times
...
Laila
16 days ago
Option A seems solid, using the plaintext key for encryption.
upvoted 0 times
...
Maryln
22 days ago
I’m a bit confused about whether we should use the KMS Encrypt API or not. I thought we had to handle the keys ourselves for encryption.
upvoted 0 times
...
Gail
28 days ago
I practiced a similar question where we had to manage keys securely, and I think writing the encrypted key is the right approach.
upvoted 0 times
...
Shawnda
1 month ago
I feel like option A makes the most sense since it talks about using the encrypted key for later, but I'm not entirely sure.
upvoted 0 times
...
Rory
1 month ago
I remember that using the plaintext key directly is risky, so I think we should avoid writing it to disk.
upvoted 0 times
...
Golda
1 month ago
I've got a good strategy for this. I'll write the encrypted key to disk and use the plaintext key to encrypt the file. That way, I can decrypt it later without needing to interact with KMS again.
upvoted 0 times
...
Pearline
1 month ago
This is a tricky one. I'm a bit confused about when to use the plaintext key versus the encrypted key. I'll need to review the AWS documentation to make sure I have the right approach.
upvoted 0 times
...
Leslie
1 month ago
Okay, let me think this through. I need to use a symmetric customer managed key, so that rules out a couple of the options. I'll have to carefully read through the details to make sure I understand which approach is correct.
upvoted 0 times
...
Lorean
1 month ago
Hmm, this seems straightforward. I'll need to use the GenerateDataKey API to get the key, then decide whether to use the plaintext or encrypted version to encrypt the file.
upvoted 0 times
...
Hayley
2 months ago
I think I have a good strategy for this - I'll look for any suspicious activity or unusual file uploads in the logs, and then match that to the possible attack types listed.
upvoted 0 times
...
Reita
2 months ago
Using architectures based on products with high MTBF, as in option C, seems like a good strategy to minimize downtime. I'll make sure to consider that as well.
upvoted 0 times
...
Marci
2 months ago
I'm a little confused by the different DBDL descriptions. I'll need to carefully compare them to the ER diagram to make sure I understand how the relationships are being modeled.
upvoted 0 times
...
Jestine
2 years ago
Hmm, but I'm not sure about writing the encrypted key to disk. Wouldn't it be better to just use the plaintext key and the KMS Encrypt API to encrypt the file directly?
upvoted 0 times
...
Jeanice
2 years ago
Yeah, I agree. Options C and D seem to be the only ones that actually use the KMS Encrypt API, which is what the question is asking for.
upvoted 0 times
...
Alberta
2 years ago
I think the key requirement here is that we need to use the AWS KMS symmetric customer managed key for encryption. That rules out options A and B, which use a separate symmetric algorithm.
upvoted 0 times
Micah
2 years ago
User 1
upvoted 0 times
...
Stephaine
2 years ago
User 2
upvoted 0 times
...
Jackie
2 years ago
User 1
upvoted 0 times
...
...
Malinda
2 years ago
This is a tricky question. I'm not sure if I fully understand the requirements. Do we need to use the KMS Encrypt API or can we just use a symmetric encryption algorithm with the key from GenerateDataKey?
upvoted 0 times
...

Save Cancel