AWS Jenkins Pipeline Encryption and Decryption | SCS-C01 Exam Answer

Decryption Command for AWS KMS | AWS Certified Security - Specialty

Prev Question Next Question

Question

As a DevOps engineer, you need to maintain Jenkins pipelines.

Recently, you have created a new pipeline for a migration project.

In one stage, you encrypted a file with below command. aws kms encrypt \ --key-id 1234abcd-fa85-46b5-56ef-1234567890ab \ --plaintext fileb://ExamplePlaintextFile \ --output text \ --query CiphertextBlob | base64 \ --decode > ExampleEncryptedFile A CMK key was used in the encryption operation.

Then in another stage, the encrypted file needs to be decrypted with "aws kms decrypt"

In terms of the decryption command, which statement is correct?

Answers

A. The CMK key ID is needed for "aws kms decrypt".

B. The CMK key ARN is needed for "aws kms decrypt".

C. The encrypted data key is needed for "aws kms decrypt".

D. There is no need to add the CMK key information for this command.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

Check the below links for how to use KMS encrypt/decrypt.

KMS encrypt: https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html.

KMS decrypt: https://docs.aws.amazon.com/cli/latest/reference/kms/decrypt.html.

Options A~B are incorrect: The AWS CLI "aws kms decrypt" has the below format:

aws kms decrypt \

--ciphertext-blob fileb://ExampleEncryptedFile \

--output text \

--query Plaintext | base64 --decode > ExamplePlaintextFile.

There is no need to add the key information.

This is different from "aws kms encrypt".

Option C is incorrect: Because the encryption does not use the data key, so does the decryption.

Option D is CORRECT: Refer to the above explanations.

The correct statement for the decryption command is: A. The CMK key ID is needed for "aws kms decrypt".

Explanation:

The AWS KMS service is used for creating and managing cryptographic keys to protect data.
In the given encryption command, the KMS service was used to encrypt a plaintext file using a Customer Master Key (CMK) identified by its key ID "1234abcd-fa85-46b5-56ef-1234567890ab".
The encrypted file is saved in ExampleEncryptedFile.
To decrypt the file, the aws kms decrypt command is used.
The aws kms decrypt command requires the following parameters:
- --ciphertext-blob: the blob of encrypted data.
- --key-id: the ID or ARN of the CMK that was used to encrypt the data.
Therefore, in this scenario, the correct statement is that the CMK key ID is needed for "aws kms decrypt" because it identifies the specific CMK used for encryption.
Option B (CMK key ARN) is also valid because it uniquely identifies the CMK, but in this case, the key ID is sufficient and more specific.
Option C (encrypted data key) is not correct because the encrypted data key is the result of the encryption operation and is not used in the decryption process.
Option D (no need to add the CMK key information for this command) is not correct because the CMK key information is required for decryption.

Prev Question Next Question