You have a Cron job that will run on the EC2 instance.
The job calls a bash script that will encrypt a file whose size is about 2kb.
You prefer that the encryption is performed through a Customer Master Key (CMK) in KMS.
So, you have created a CMK for this task.
The script uses AWS CLI to do the encryption.
How do you encrypt the file using the CMK in the bash script?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because "aws kms encrypt" already meets the requirement since the file size is about 2kb.
Option B is incorrect because envelope encryption is not required in this scenario.
The bash script can use "aws kms encrypt" for the encryption, and there is no need to maintain any data key.
Option C is incorrect because, for envelope encryption, the plain text data key is used, and thus envelope encryption is unnecessary.
Option D is incorrect because the "aws kms encrypt" command is not used to generate the data key.
For more information on KMS.
kindly refer to the URL provided below:
https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html.To encrypt the file using the Customer Master Key (CMK) in KMS through a bash script using AWS CLI, the following steps can be followed:
Create a CMK: First, create a CMK in KMS that will be used for encrypting the file. This can be done using the AWS Management Console or the AWS CLI command "aws kms create-key". Make sure to note down the CMK's ARN.
Generate a Data Key: To encrypt the file using the CMK, a data key needs to be generated first. This can be done using the "aws kms generate-data-key" command. This command generates a plaintext data key and an encrypted data key. The plaintext data key can be used to encrypt the file, while the encrypted data key can be stored securely for later use.
Encrypt the File: Once the data key is generated, it can be used to encrypt the file using the "aws kms encrypt" command. This command encrypts the file using the plaintext data key and then encrypts the data key itself using the CMK. The resulting ciphertext and encrypted data key can be stored securely.
Based on the above steps, the answer to the question is Option C: Use "aws kms generate-data-key" to generate a data key, then use the encrypted data key to encrypt the file.
Option A is incorrect because it does not involve envelope encryption, which is required when encrypting data using a CMK.
Option B is incorrect because it suggests using the plaintext data key to encrypt the file, which is not recommended for security reasons.
Option D is incorrect because it suggests using the "aws kms encrypt" command to generate a data key, which is not possible. The "aws kms encrypt" command is used to encrypt data using a data key, not to generate a data key.