You have an application that needs to encrypt data using the KMS service.
The company has already defined the customer master key in AWS for usage in the application.
Which of the following steps must be followed in the encryption process? Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A and C.
Options B and D are incorrect because you will not use the Customer Key to encrypt and decrypt data directly.
The AWS Documentation mentions the following.
We recommend that you use the following pattern to encrypt data locally in your application.
Use this operation (GenerateDataKey) to get a data encryption key.
Use the plaintext data encryption key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.
Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside the locally encrypted data.
For more information on generating data key, please refer to the below URL-
https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.htmlWhen encrypting data using the AWS KMS service, the following two steps must be followed:
A. Use the GenerateDataKey to get the data key to encrypt the data. The first step is to use the GenerateDataKey API call to retrieve a plaintext data encryption key. The plaintext data encryption key is used to encrypt the data, and it is encrypted under the specified customer master key. The customer master key is never used directly to encrypt data, as it is only used to encrypt data encryption keys. By using a data encryption key for each piece of data, you can improve security by limiting the amount of data that could be exposed if a key is compromised.
B. Use CustomerMaster Key to encrypt the data. Once you have the plaintext data encryption key, you can use it to encrypt the data. The plaintext data encryption key is never stored, and is deleted immediately after use. The encrypted data encryption key is stored alongside the encrypted data, and is needed to decrypt the data.
C. Delete the plaintext data encryption key after the data is encrypted. The plaintext data encryption key should be deleted immediately after it is used to encrypt the data. This ensures that the key is not accidentally exposed, and reduces the risk of it being compromised. You can use the DeleteKey API call to delete the key.
D. Delete the Customer Master Key after the data is encrypted. You should not delete the customer master key after the data is encrypted. The customer master key is needed to decrypt the data encryption key, which is required to decrypt the data. If the customer master key is deleted, the encrypted data and data encryption key cannot be decrypted.
In summary, after retrieving the plaintext data encryption key using GenerateDataKey, you should use it to encrypt the data and then delete it immediately. The customer master key should not be deleted after the data is encrypted, as it is required to decrypt the data.