As a programmer, you have been hired to develop an application for a company.
The application needs to first encrypt the data at the client side before sending it to a destination location.
How can you achieve this? The size of the data is generally around 1 - 4 MB.
Each object needs to have its own key to encrypt the data.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
The AWS Documentation mentions the following.
We recommend that you use the following pattern to encrypt data locally in your application.
Use this operation (GenerateDataKey) to get a data encryption key.
Use the plaintext data encryption key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.
Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside the locally encrypted data.
Option A is incorrect since you don't upload the data to KMS to encrypt it.
Option B is incorrect since you don't use the CMK key to encrypt large data objects.
Option D is incorrect since the data would only be encrypted at rest, and the question states that the object needs to be encrypted at the client side.
For more information on the Generate Data Key API, please refer to the below URL-
https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.htmlThe correct answer for this scenario is option C - Use the GenerateDataKey API to get the key from a CMK.
When we need to encrypt data at the client side, we need a way to generate a key that can be used for encryption. This key should be unique for each object that needs to be encrypted. Using a single key to encrypt multiple objects can lead to security vulnerabilities as the compromise of one key can lead to the compromise of all the data encrypted with that key.
AWS Key Management Service (KMS) provides us with the GenerateDataKey API that can be used to generate a unique data encryption key for each object that needs to be encrypted. The API generates a plaintext and an encrypted version of the data key. The plaintext version can be used by the client-side application to encrypt the data and the encrypted version can be stored with the encrypted data. This way, when the encrypted data is received at the destination, the encrypted data key can be used to decrypt the data.
Here are the reasons why the other options are incorrect:
A. Upload the data to KMS and use the CMK key to encrypt the data - This is not a viable option because KMS keys are used for encrypting other keys and not data.
B. Use the CMK key ARN to get the key and encrypt the data - This option is not correct because a CMK key cannot be used to encrypt data directly. It can only be used to encrypt/decrypt data encryption keys.
D. Upload the data to an S3 bucket with encryption enabled - This option is not viable because S3 server-side encryption does not allow for client-side encryption. It can only encrypt data at rest when it is stored in S3.