You are developing a Java-based application that needs to make use of the AWS KMS service for encryption. Which of the following must be done for the encryption and decryption process? Choose 2 answers from the options given below.

Answer options:

A.Use the Customer master key to encrypt the data.
B.Use the Customer master key to generate a data key for the encryption process.
C.Use the Customer master key to decrypt the data.
D.Use the generated data key to decrypt the data.

Answer – B and D
The AWS Documentation mentions the following.
The AWS Encryption SDK is a client-side encryption library that makes it easier for you to implement cryptography best practices in your application. It includes secure default behaviour for developers who are not encryption experts, while being flexible enough to work for the most experienced users.
Options A and C are incorrect because you should never use the Customer master keys directly to encrypt the decryption process.
In the AWS Encryption SDK, by default, you generate a new data key for each encryption operation
For more information on the Encryption SDK, please refer to the below URL-
https://docs.aws.amazon.com/kms/latest/developerguide/programming-top.html
Note: 
AWS Docs Says
"When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key and then encrypting the data key under another key.
You can even encrypt the data encryption key under another encryption key and encrypt that encryption key with another encryption key. But, eventually, one key must remain in plaintext so you can decrypt the keys and your data. This top-level plaintext key encryption key is known as the master key."
For more information on the enveloping, please refer to the below URL-
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping