Question #794
A developer needs to encrypt sensitive log data locally before storing it in an Amazon S3 bucket. The encryption must use symmetric cryptography and be performed within the application without relying on external tools. How should the developer implement this encryption?
Generate an HMAC key in AWS KMS and use the AWS CLI to encrypt the logs.
Create a symmetric data key in AWS KMS and use the AWS Encryption SDK to encrypt the logs.
Generate an asymmetric data key pair in AWS KMS and use the AWS CLI for encryption.
Create a symmetric data key in AWS KMS and use OpenSSL commands to encrypt the logs.
Explanation
Answer B is correct because:
1. Symmetric Data Key: AWS KMS allows creating symmetric data keys, which are required for symmetric cryptography.
2. AWS Encryption SDK: The SDK performs encryption/decryption within the application, avoiding reliance on external tools like the AWS CLI (Option A/D) or OpenSSL (Option D).
3. Client-Side Encryption: The data is encrypted locally before uploading to S3, ensuring end-to-end security.
Why other options are incorrect:
- A: HMAC is for authentication, not encryption, and the AWS CLI is an external tool.
- C: Asymmetric keys are not suitable for symmetric cryptography.
- D: OpenSSL commands are external tools, violating the requirement.
Key Points: Use AWS Encryption SDK with KMS symmetric keys for client-side encryption without external dependencies.
Answer
The correct answer is: B