Which API call is required to perform the encryption?
Pass the data to the KMS ReEncrypt API for encryption.
Use the KMS GenerateDataKey API to get an encryption key.
Use the KMS GenerateDataKeyWithoutPlainText API to get an encryption key.
Pass the data to KMS as part of the Encrypt API for encryption.
Explanations:
The KMS ReEncrypt API is used for re-encrypting data that has been encrypted with a different encryption key. It’s not the appropriate API for encrypting data before sending it downstream.
The KMS GenerateDataKey API is used to generate a data key for encryption. The plaintext part of the key can be used to encrypt data, while the encrypted part is stored. This is the typical way to handle encryption when using KMS.
The KMS GenerateDataKeyWithoutPlainText API generates an encryption key, but it does not provide the plaintext key. This would require additional steps to encrypt data directly, making it less practical for this scenario.
The KMS Encrypt API encrypts data, but it is not typically used to pass large amounts of data directly. It’s better suited for small payloads, and the GenerateDataKey API is more commonly used for encryption with large data.
As I understand it, the answer is:
Use the KMS GenerateDataKey API to get an encryption key.