Examice

Exam DVA-C02 All QuestionsBrowse all questions from this exam

Question 260

A developer is writing an application that will retrieve sensitive data from a third-party system. The application will format the data into a PDF file. The PDF file could be more than 1 MB. The application will encrypt the data to disk by using AWS Key Management Service (AWS KMS). The application will decrypt the file when a user requests to download it. The retrieval and formatting portions of the application are complete.

The developer needs to use the GenerateDataKey API to encrypt the PDF file so that the PDF file can be decrypted later. The developer needs to use an AWS KMS symmetric customer managed key for encryption.

Which solutions will meet these requirements?

Write the encrypted key from the GenerateDataKey API to disk for later use. Use the plaintext key from the GenerateDataKey API and a symmetric encryption algorithm to encrypt the file.

Write the plain text key from the GenerateDataKey API to disk for later use. Use the encrypted key from the GenerateDataKey API and a symmetric encryption algorithm to encrypt the file.

Write the encrypted key from the GenerateDataKey API to disk for later use. Use the plaintext key from the GenerateDataKey API to encrypt the file by using the KMS Encrypt API.

Write the plain text key from the GenerateDataKey API to disk for later use. Use the encrypted key from the GenerateDataKey API to encrypt the file by using the KMS Encrypt API.

Correct Answer: A

To encrypt the PDF file and be able to decrypt it later, the developer should write the encrypted key from the GenerateDataKey API to disk for later use. The plaintext key from the GenerateDataKey API should be used along with a symmetric encryption algorithm to encrypt the file. This method ensures that the decryption process can be securely managed while keeping the plaintext key more transient and only used in-memory.

Discussion

CrescentSharedOption: A

Using the KMS Encrypt API to encrypt large amounts of data, such as a PDF file that could be more than 1 MB, is not efficient and can be costly. AWS KMS is designed for encrypting small amounts of data, such as encryption keys or short strings. For larger data, it's recommended to use a client-side encryption library with a data key generated by KMS.

SerialiDrOption: A

Option A is the most appropriate method for encrypting a PDF file using AWS KMS, where the plaintext key is used for encryption operations, and the encrypted key (not the plaintext key) is stored or managed externally for later decryption use.

KarBiswaOption: C

https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html

KarBiswa

Sorry changing it to A as C is not about saying using plain text data as customized. Though the algorithm word is confusing

KarBiswa

C is the option final decision

jyrajan69

The question clearly says using KMS so why would you even consider A and B

65703c1Option: A

A is the correct answer.

DeaconStJohnOption: C

Going with my gut.

Abdullah22

going with C

ANDRES715Option: D

Según la documentación de AWS, cuando se utiliza la API GenerateDataKey, se obtiene una clave de texto sin formato y una clave cifrada. La clave de texto sin formato se puede escribir en el disco para su uso posterior, mientras que la clave cifrada se utiliza para cifrar los datos. En este caso, el desarrollador debe escribir la clave de texto sin formato en el disco para su uso posterior y utilizar la clave cifrada para cifrar el archivo PDF mediante la API de cifrado KMS.