Q21 — AWS DVA-C02 Ch.1

Question 21 of 100 | ← Chapter 1

A developer is building an application that processes 10 MB documents containing highly sensitive data. The application will perform client-side encryption using AWS KMS. Which steps must be followed?

Correct Answer: D. Call the GenerateDataKey API to obtain the plaintext version of the data encryption key to encrypt the data.

Explanation

For client-side encryption with AWS KMS, the standard pattern is to call GenerateDataKey, which returns both a plaintext data key (used to encrypt the data locally) and an encrypted copy (to be stored alongside the ciphertext). The plaintext key must be used directly for encryption—option D correctly describes this. Option A uses server-side encryption (not client-side). Option B misuses GenerateRandom, which produces only random bytes—not a KMS-protected data key. Option C incorrectly suggests using only the encrypted key for encryption, which is impossible without decryption first. Thus, option D is correct.