Your company has a set of files, up to 4 KB each in size, that needs to be encrypted at the client side.
Since the company already uses a lot of AWS services, they want to use the AWS KMS CLI to encrypt the data files.
Which of the following steps are required in the encryption process? Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A and C.
AWS provides an Amazon encryption client which is embedded into the AWS SDK and CLI.
With client-side encryption using AWS KMS, the customer creates a CMK in KMS associated with Key ID.High-level encryption workflow would be as follows:
File/Object and CMK Key ID is passed to the AWS encryption client using SDK or CLI.
The encryption client requests a data key from KMS using a specified CMK key ID.KMS uses CMK Key ID to generate a unique data encryption key, which the client uses to encrypt the object data.
For more information on client-side encryption using KMS CMK on S3 data, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.htmlHere is the working example for implementing client-side encryption using CMK on KMS:
https://aws.amazon.com/blogs/security/how-to-encrypt-and-decrypt-your-data-with-the-aws-encryption-cli/Option B is incorrect because when using AWS KMS Encrypt CLI to encrypt files that are less than 4 KB, there is no need to create or fetch data keys.
Option D is incorrect since there is no mention in the question on requiring using your own key material.
For more information on the concepts for the Key Management Service, please visit the below URL.
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.htmlNote:
Options A and C have to be followed in sequence to encrypt the data using client-side encryption using KMS.
Data key is generated in the background using KMS using CMK, abstract to the user.
To encrypt the files using the AWS KMS CLI, the following steps are required:
Create a new CMK key in the AWS Key Management service: A customer master key (CMK) is a logical representation of a master key that is used to encrypt and decrypt data keys. The CMK is created in the AWS Key Management Service (KMS) and is used to encrypt and decrypt data using the data keys. Therefore, before encrypting any data, a new CMK key must be created in the AWS KMS. This can be done using the AWS KMS Console or AWS CLI.
Create a new data key in the AWS Key Management service and fetch the data key through AWS KMS CLI: After creating the CMK key, the next step is to create a new data key in the AWS KMS. Data keys are used to encrypt and decrypt data. Once the data key is created, it must be fetched through the AWS KMS CLI. This can be done using the aws kms generate-data-key command.
Use AWS KMS Encrypt CLI to encrypt files using the CMK key: The final step is to use the AWS KMS Encrypt CLI to encrypt the files using the CMK key and the data key that was fetched in the previous step. This can be done using the aws kms encrypt command. The command takes the plaintext data as input and returns the ciphertext data.
Therefore, options A and B are the required steps in the encryption process using the AWS KMS CLI. Option C is also a required step, but it is not the only step required. Option D is not required in this scenario, as the key material is managed by the AWS KMS service itself.