Free AWS DVA-C01 Actual Exam Questions - Question 4 Discussion
What is the BEST approach?
Maybe C, since you need the plaintext key to actually encrypt large files locally.
C/D? D only gives the encrypted data key, so you can’t actually encrypt the data without the plaintext key. C is better because it provides the plaintext key needed to encrypt large objects like this.
Probably D, since GenerateDataKeyWithoutPlaintext gives you an encrypted data key that you can store securely without exposing the plaintext key. You’d usually use this when you want to offload encryption to a secure environment or hardware module that can decrypt the key internally. For 100 GB, you might not want to handle plaintext keys directly in your app, so D helps with security even if it means the actual encryption happens where the key can be decrypted safely. C gives you the plaintext key in your app, which might be less secure depending on your setup.
C/D? D returns just the encrypted data key, so you still need the plaintext version somewhere. Only C gives you the plaintext key needed to encrypt large data like 100 GB efficiently.
C, because you need the plaintext key to actually encrypt large data efficiently.
Totally agree that A and B are off because KMS isn't built to handle large data encryption directly. D doesn't really work because you can't encrypt data without the plaintext key. So C is the only viable option since it gives you the plaintext data key for actual encryption and the encrypted key for safe storage. This fits best with how KMS is designed to handle big files securely.
Probably C here. The key point is that KMS isn’t meant to encrypt large data directly, so you need a data key for the actual encryption. GenerateDataKey gives you both the plaintext and encrypted key, so you can encrypt locally with the plaintext key and store the encrypted version safely. A and B would try to encrypt all 100 GB through KMS which isn’t practical, and D won’t work because you need the plaintext key to do the encryption. So C fits best for handling big files efficiently.
C makes sense since you need the plaintext key for actual data encryption.
Maybe D could work since it avoids exposing the plaintext key, but encrypting with only the encrypted key isn’t practical without the plaintext. So C still seems the most reasonable way to handle large data efficiently.
It’s C. You don’t wanna encrypt 100GB directly with KMS, that’s a trap in A.