DVA-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

DVA-C02 Exam - Question 260

A developer is writing an application that will retrieve sensitive data from a third-party system. The application will format the data into a PDF file. The PDF file could be more than 1 MB. The application will encrypt the data to disk by using AWS Key Management Service (AWS KMS). The application will decrypt the file when a user requests to download it. The retrieval and formatting portions of the application are complete.

The developer needs to use the GenerateDataKey API to encrypt the PDF file so that the PDF file can be decrypted later. The developer needs to use an AWS KMS symmetric customer managed key for encryption.

Which solutions will meet these requirements?

Show Answer
Correct Answer: A

To encrypt the PDF file and be able to decrypt it later, the developer should write the encrypted key from the GenerateDataKey API to disk for later use. The plaintext key from the GenerateDataKey API should be used along with a symmetric encryption algorithm to encrypt the file. This method ensures that the decryption process can be securely managed while keeping the plaintext key more transient and only used in-memory.

Discussion

8 comments
Sign in to comment
CrescentSharedOption: A
Feb 21, 2024

Using the KMS Encrypt API to encrypt large amounts of data, such as a PDF file that could be more than 1 MB, is not efficient and can be costly. AWS KMS is designed for encrypting small amounts of data, such as encryption keys or short strings. For larger data, it's recommended to use a client-side encryption library with a data key generated by KMS.

KarBiswaOption: C
Mar 3, 2024

https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html

KarBiswa
Mar 3, 2024

Sorry changing it to A as C is not about saying using plain text data as customized. Though the algorithm word is confusing

KarBiswa
Mar 23, 2024

C is the option final decision

SerialiDrOption: A
Mar 5, 2024

Option A is the most appropriate method for encrypting a PDF file using AWS KMS, where the plaintext key is used for encryption operations, and the encrypted key (not the plaintext key) is stored or managed externally for later decryption use.

ANDRES715Option: D
Feb 28, 2024

Según la documentación de AWS, cuando se utiliza la API GenerateDataKey, se obtiene una clave de texto sin formato y una clave cifrada. La clave de texto sin formato se puede escribir en el disco para su uso posterior, mientras que la clave cifrada se utiliza para cifrar los datos. En este caso, el desarrollador debe escribir la clave de texto sin formato en el disco para su uso posterior y utilizar la clave cifrada para cifrar el archivo PDF mediante la API de cifrado KMS.

Abdullah22
Mar 5, 2024

going with C

DeaconStJohnOption: C
Mar 25, 2024

Going with my gut.

65703c1Option: A
May 24, 2024

A is the correct answer.

jyrajan69
Jul 21, 2024

The question clearly says using KMS so why would you even consider A and B