Q21 — AWS DVA-C02 Ch.1
Question 21 of 100 | ← Chapter 1
A developer is building an application that processes 10 MB documents containing highly sensitive data. The application will perform client-side encryption using AWS KMS. Which steps must be followed?
- A. Call the Encrypt API, passing the plaintext data to encrypt, and reference the customer-managed key ARN in the KeyId parameter.
- B. Call the GenerateRandom API to obtain a data encryption key, then use that key to encrypt the data.
- C. Call the GenerateDataKey API to obtain an encrypted version of the data encryption key to encrypt the data.
- D. Call the GenerateDataKey API to obtain the plaintext version of the data encryption key to encrypt the data. ✓
Correct Answer: D. Call the GenerateDataKey API to obtain the plaintext version of the data encryption key to encrypt the data.
Explanation
For client-side encryption with AWS KMS, the standard pattern is to call GenerateDataKey, which returns both a plaintext data key (used to encrypt the data locally) and an encrypted copy (to be stored alongside the ciphertext). The plaintext key must be used directly for encryption—option D correctly describes this. Option A uses server-side encryption (not client-side). Option B misuses GenerateRandom, which produces only random bytes—not a KMS-protected data key. Option C incorrectly suggests using only the encrypted key for encryption, which is impossible without decryption first. Thus, option D is correct.