Encrypting Docker Containers with AWS KMS

Answer - B and C.

The AWS Documentation mentions the following.

GenerateDataKeyWithoutPlaintext returns a data encryption key encrypted under a customer master key (CMK)

This operation is identical to GenerateDataKey but returns only the encrypted copy of the data key.

Option A is incorrect because the GenerateDataKey command returns both the original plaintext key and the encrypted copy of the key.

Option B is CORRECT because we need the command "GenerateDataKeyWithoutPlaintext" only to return the encrypted key.

Option C is CORRECT because the CMK is required to encrypt the data keys with the above command.

Option D is invalid since the question states that you need to use the KMS service.

For more information on Generating data keys, please refer to the below URL-

https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html

To encrypt data in Docker containers, we can generate a data key using the AWS Key Management Service (KMS) and then use this key to encrypt and decrypt the data. There are two options available to generate an encrypted data key in KMS:

1. GenerateDataKeyWithoutPlaintext command: This option generates an encrypted data key without the plaintext version of the key. This means that the key is never exposed in its unencrypted form. The encrypted key can be used to encrypt data within the Docker containers.

2. Use CMK Keys: AWS KMS allows you to create and manage customer master keys (CMKs) that can be used to generate data keys. CMKs can be used to encrypt and decrypt data within the Docker containers.

Therefore, options B and C are the correct answers. Option A, the GenerateDataKey command, generates an unencrypted data key which is not suitable for encrypting data. Option D, client-side keys, are keys that are generated outside of AWS and are not suitable for use with KMS.