A developer needs to encrypt a 5 GB file before uploading it to Amazon S3. The company policy mandates the use of AWS KMS. How should the solutions architect implement this?

Answer options:

Call the KMS Encrypt API directly with the 5 GB file.

Use KMS envelope encryption by calling GenerateDataKey, encrypt the file locally, and upload.

Upload the file to S3 and use S3 Select to encrypt it with KMS.

Use AWS Certificate Manager to encrypt the file before upload.

How to approach this question

Remember the 4 KB limit of direct KMS encryption. For larger files, envelope encryption is required.

Full Answer

B.Use KMS envelope encryption by calling GenerateDataKey, encrypt the file locally, and upload.✓ Correct

Use KMS envelope encryption to generate a data key, encrypt the file locally, and upload.

AWS KMS direct encryption is limited to 4 KB. For larger files, you must use envelope encryption: call GenerateDataKey to get a data key, encrypt the file locally with the data key, and then store the encrypted file and the encrypted data key.

Common mistakes

Assuming KMS can directly encrypt large files.

Question 14 All questions Question 16

Practice the full AWS SAA-C03 Practice Exam 3

65 questions · hints · full answers · grading

More questions from this exam

Q01A company stores sensitive documents in an Amazon S3 bucket. The security team requires that only...Easy Q02A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to...Medium Q03A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (AL...Easy Q04A company wants to continuously monitor its AWS accounts for malicious activity and unauthorized ...Medium Q05A company needs to encrypt data at rest in Amazon RDS and manage database credentials securely. T...Medium

View all 65 questions →