Which API call is required to perform the encryption?

By:
In: DVA-C01
Tagged:
With: 2 Comments
A Lambda function processes data before sending it to a downstream service.Each piece of data is approximately 1MB in size.After a security audit, the function is now required to encrypt the data before sending it downstream.

Which API call is required to perform the encryption?

Pass the data to the KMS ReEncrypt API for encryption.

Use the KMS GenerateDataKey API to get an encryption key.

Use the KMS GenerateDataKeyWithoutPlainText API to get an encryption key.

Pass the data to KMS as part of the Encrypt API for encryption.

Explanations:

The KMS ReEncrypt API is used for re-encrypting data that has been encrypted with a different encryption key. It’s not the appropriate API for encrypting data before sending it downstream.

The KMS GenerateDataKey API is used to generate a data key for encryption. The plaintext part of the key can be used to encrypt data, while the encrypted part is stored. This is the typical way to handle encryption when using KMS.

The KMS GenerateDataKeyWithoutPlainText API generates an encryption key, but it does not provide the plaintext key. This would require additional steps to encrypt data directly, making it less practical for this scenario.

The KMS Encrypt API encrypts data, but it is not typically used to pass large amounts of data directly. It’s better suited for small payloads, and the GenerateDataKey API is more commonly used for encryption with large data.

2026-03-24

2 Comments

  1. Bryan
    Author

    As I understand it, the answer is:
    Use the KMS GenerateDataKey API to get an encryption key.

  2. Betty
    Author

    If memory serves me right, the answer is:
    Use the KMS GenerateDataKey API to get an encryption key.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − nine =