An application encrypts data before writing it to a database. The company uses AWS KMS. To improve performance and reduce KMS API call costs, the application needs to encrypt data locally using a data key.<br/><br/>Which KMS API call should the application use to obtain the key?

Answer options:

Encrypt

GenerateDataKey

GetParameters

Decrypt

How to approach this question

Understand the envelope encryption process in AWS KMS.

Full Answer

B.GenerateDataKey✓ Correct

In envelope encryption, you use the GenerateDataKey operation. KMS returns a plaintext version of the data key and an encrypted version. You use the plaintext key to encrypt your data locally, then store the encrypted key alongside the encrypted data.

Common mistakes

Choosing Encrypt, which is limited to 4KB of data and requires sending the data over the network to KMS.

Question 14 All questions Question 16

Practice the full AWS SAA-C03 Practice Exam 6

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...Medium Q02A company has two AWS accounts: Account A for development and Account B for production. Developer...Medium Q03A mobile application needs to authenticate users using their social media accounts (Facebook, Goo...Easy Q04A company is running an application on Amazon EC2 instances. The application needs to connect to ...Medium Q05A company has 50 AWS accounts managed by AWS Organizations. The IT team wants to implement a cent...Easy

View all 65 questions →