ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 95 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 95
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?

  • A. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
  • B. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
  • C. Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.
  • D. Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by L1234567890 at April 2, 2021, 2:57 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
EricR17
Highly Voted 3 years, 8 months ago
While C and D are very close to being the same thing, D is the correct answer. https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html To encrypt data outside of AWS KMS: 1. Use the GenerateDataKey operation to get a data key. 2. Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory. 3. **** Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data. **** To decrypt data outside of AWS KMS: 1. **** Use the Decrypt operation to decrypt the encrypted data key. **** The operation returns a plaintext copy of the data key. 2. Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory.
upvoted 17 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: D
D. Is the definition of envelop encryption, and it is the way things work. A, is the poor and randomly written version of D.
upvoted 2 times
...
epomatti
1 year, 10 months ago
Selected Answer: D
Correct is D. A is incorrect since KMS does NOT handle data keys persistence. You are responsible to envelope that along with the data.
upvoted 1 times
...
kvirk
2 years, 3 months ago
Selected Answer: D
D is correct
upvoted 1 times
...
examtopicswaeron
2 years, 3 months ago
Selected Answer: A
A for me
upvoted 2 times
...
YouYouYou
3 years, 5 months ago
Selected Answer: D
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html A formatted message that stores encrypted data keys with the encrypted data The AWS Encryption SDK stores the encrypted data and encrypted data key together in an encrypted message that uses a defined data format. This means you don't need to keep track of or protect the data keys that encrypt your data because the AWS Encryption SDK does it for you. Some language implementations of the AWS Encryption SDK require an AWS SDK, but the AWS Encryption SDK doesn't require an AWS account and it doesn't depend on any AWS service. You need an AWS account only if you choose to use AWS KMS keys to protect your data. answer D
upvoted 2 times
...
kiev
3 years, 8 months ago
i honestly do not know the answer but D looks smooth to me.
upvoted 1 times
...
analyser
3 years, 8 months ago
Answer:A. Why do we need KMS if the key is stored in the application? Also storing the key along with the data is a serious vulnerability.
upvoted 1 times
ChauPhan
3 years, 8 months ago
You need to read to understand about the KMS key and data key. https://docs.aws.amazon.com/wellarchitected/latest/financial-services-industry-lens/use-envelope-encryption-with-customer-master-keys.html
upvoted 2 times
...
...
Daniel76
3 years, 8 months ago
Answer:D Use AWS SDK client-side encryption that secure app data with private encryption keys never leave the application. Use Option 2 of the following link. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html Wrong answers: A, B - Sending unencrypted/plaintext data key over to and fro application is unsafe. C- If another CMK is required (Option 1 of the above link) then the solution should mention the calling of AWS KMS to return plaintext version and cipher blob version of a generated data key, where it will use plaintext data key to encrypt at client side. Again, this is less secure than D since it involve sending of plaintext data key.
upvoted 4 times
EricR17
3 years, 8 months ago
"The Decrypt operation also decrypts ciphertext that was encrypted outside of AWS KMS by the public key in an AWS KMS asymmetric CMK. However, it cannot decrypt ciphertext produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that is incompatible with AWS KMS." https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html
upvoted 1 times
...
...
sanjaym
3 years, 9 months ago
Ans: D
upvoted 2 times
...
pyro_mann
3 years, 9 months ago
You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey and GenerateDataKeyPair operations return a plaintext data key and an encrypted copy of that data key.
upvoted 3 times
...
Hungdv
3 years, 9 months ago
I don't know the difference between A and D.
upvoted 1 times
ChauPhan
3 years, 8 months ago
You need to encrypt the data key as well, you can't leave "plain text" data key, it is the MOST secure way.
upvoted 1 times
...
...
L1234567890
3 years, 9 months ago
D makes sense
upvoted 2 times
Larsson
3 years, 9 months ago
Why not C? What's the difference?
upvoted 1 times
halfway
3 years, 9 months ago
There seems no need to use 'another' CMK. So answer C looks wrong to me
upvoted 2 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel