Question #1052
A company is building an application to accept data from customers. The data must be encrypted at rest and in transit.
The application uses an Amazon CloudFront distribution with field-level encryption that uses an AWS KMS key, which forwards requests to an AWS AppSync GraphQL API. The AppSync API resolves to AWS Lambda functions that store the data in an Amazon DynamoDB table. The application worked properly during testing without field-level encryption.
After enabling field-level encryption in CloudFront, the application started storing ciphertext in DynamoDB. The developer must ensure data is stored as plaintext.
Which solution meets this requirement?
Modify the Lambda functions to decrypt the encrypted fields using the KMS key before storing in DynamoDB.
Configure AppSync to use a Lambda authorizer that decrypts the data before processing.
Enable encryption on DynamoDB using the same KMS key used by CloudFront.
Update the CloudFront distribution to disable field-level encryption and use HTTPS only.
Explanation
Answer B is correct because CloudFront's field-level encryption encrypts specified fields before forwarding requests to AppSync. The Lambda functions receive encrypted data and must decrypt it using the same KMS key before storing it in DynamoDB to ensure plaintext storage.
Why other options are incorrect:
- A: AppSync Lambda authorizers handle authentication/authorization, not data decryption.
- C: Enabling DynamoDB encryption encrypts data at rest but does not decrypt incoming encrypted fields.
- D: Disabling field-level encryption violates the requirement to encrypt data in transit.
Key Points:
1. Field-level encryption in CloudFront encrypts data at the edge.
2. Lambda must decrypt data before storage to ensure plaintext in DynamoDB.
3. KMS keys must be used consistently for encryption/decryption.
Answer
The correct answer is: B