Your development team is working with Docker containers. These containers need to encrypt data. The data key needs to be generated using the KMS service. The data key should be in the encrypted format. Which of the following would you most ideally use? (Choose 2 options)

Answer options:

A.The GenerateDataKey command
B.The GenerateDataKeyWithoutPlaintext command
C.Use the CMK Keys
D.Use client-side keys

Answer - B and C
The AWS Documentation mentions the following.
GenerateDataKeyWithoutPlaintext returns a data encryption key encrypted under a customer master key (CMK). This operation is identical to GenerateDataKey but returns only the encrypted copy of the data key.
Option A is incorrect because the GenerateDataKey command returns both the original plaintext key and the encrypted copy of the key.
Option B is CORRECT because we need the command "GenerateDataKeyWithoutPlaintext" only to return the encrypted key.
Option C is CORRECT because the CMK is required to encrypt the data keys with the above command.
Option D is invalid since the question states that you need to use the KMS service.
For more information on Generating data keys, please refer to the below URL-
https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html