Q81 — AWS DVA-C02 Ch.3
Question 81 of 100 | ← Chapter 3
An application under development needs to store hundreds of video files. Before storage, the application must encrypt the data using a unique key for each video file. How should the developer implement this application?
- A. Use the KMS Encrypt API to encrypt the data. Store the encrypted data key and the encrypted data.
- B. Use a cryptographic library to generate an encryption key within the application. Use that key to encrypt the data. Store only the encrypted data.
- C. Use the KMS GenerateDataKey API to obtain a data key. Use the plaintext data key to encrypt the data. Store the encrypted data key and the encrypted data. ✓
- D. Use AWS KMS–based server-side encryption when uploading data to an S3 bucket.
Correct Answer: C. Use the KMS GenerateDataKey API to obtain a data key. Use the plaintext data key to encrypt the data. Store the encrypted data key and the encrypted data.
Explanation
Option C is correct: Using KMS GenerateDataKey returns both a plaintext data key (for immediate encryption) and an encrypted copy (for secure storage). This enables per-file encryption with unique keys while leveraging KMS for key management, auditability, and security. Storing the encrypted data key allows future decryption using KMS Decrypt. Option A uses KMS Encrypt directly, which is suitable for small secrets but inefficient for large video files due to payload size limits and lack of client-side control. Option B bypasses KMS entirely, increasing key management complexity and risk for hundreds of files. Option D performs server-side encryption in S3, but the requirement specifies encryption *within the application* prior to storage—not S3-managed encryption. Thus, Option C best satisfies the requirement. 【Provided by Lantern Certification: swufelp1999】