You're building a distributed HPC system that will process large multi-GB files.
The sensitive nature of the data in these files requires them to be encrypted.
What steps are the best approach to use AWS KMS to satisfy the encryption requirement (Select TWO)?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A and C.
Option A is CORRECT because you can use GenerateDataKeyWitoutPlaintext API to generate a data key.
This data key is then distributed to the individual components of the distributed system.
Option B is incorrect because Encrypt API can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data, not large files specified in the question scenario.
Option C is CORRECT because Decrypt API needs to be used by the individual components processing the data to decrypt the data key.Then plaintext key can be used to encrypt the data.
Option D is incorrect because it is not good practice to distribute plaintext data keys with the system components.
Also, the option does not specify that the data key would be distributed among the system components, so we can't make that assumption.
If each component calls GenerateDataKey API, each component will use a different key to encrypt the data.
This is not desirable for a distributed system.
In distributed systems, one component of your system is responsible for creating new components.
It stores an encrypted data key with each new component.
The component first decrypts the data key, then uses the plaintext data key to encrypt data.
In this system, the component that creates the system components never sees the plaintext data key.
Reference:
https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.htmlTo securely encrypt large multi-GB files in a distributed HPC system on AWS, you can use AWS Key Management Service (KMS) to manage and protect the encryption keys. KMS is a fully managed service that makes it easy to create, rotate, and manage cryptographic keys used for data encryption.
To satisfy the encryption requirement, you can use the following approach with AWS KMS:
Use GenerateDataKeyWithoutPlaintext API: This API generates a new data encryption key in encrypted form without revealing the plaintext key. You can use this key to encrypt your sensitive data. It returns both the encrypted data key and a plaintext key encryption key that you can distribute to the system components that need to encrypt or decrypt the data.
Use Encrypt API to encrypt the data: Use the plaintext data key obtained from step 1 to encrypt your sensitive data using the Encrypt API. This API encrypts the plaintext data using the specified data key and returns the ciphertext. Make sure to store the encrypted data key and ciphertext securely, as they are sensitive information.
These two steps provide a secure and efficient way to encrypt large multi-GB files in a distributed HPC system. The data key is protected and distributed securely among the components that need it without revealing the plaintext key. The sensitive data is encrypted using the data key obtained from the KMS service.
Option C is not a recommended approach because it involves using the plaintext data key to encrypt the data, which increases the risk of data exposure. Option D is also not recommended as it generates a plaintext data key for each component, which increases the risk of key exposure and complicates key management.