You’re building a distributed HPC system that will process large multi-GB files. The sensitive nature of the data in these files requires them to be encrypted. What steps are the best approach to use AWS KMS to satisfy the encryption requirement (Select TWO)?

Answer options:

A.Use GenerateDataKeyWithoutPlaintext API. Distribute the data key to system components.
B.Use Encrypt API to encrypt the data.
C.Use Decrypt API to decrypt the data key. Use the plaintext key to encrypt the data.
D.Use GenerateDataKey API for each component. Extract the plaintext data key.

Answer: A and C
Option A is CORRECT because you can use GenerateDataKeyWitoutPlaintext API to generate a data key. This data key is then distributed to the individual components of the distributed system.
Option B is incorrect because Encrypt API can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data, not large files specified in the question scenario.
Option C is CORRECT because Decrypt API needs to be used by the individual components processing the data to decrypt the data key.Then plaintext key can be used to encrypt the data.
Option D is incorrect because it is not good practice to distribute plaintext data keys with the system components. Also, the option does not specify that the data key would be distributed among the system components, so we can’t make that assumption. If each component calls GenerateDataKey API, each component will use a different key to encrypt the data. This is not desirable for a distributed system.
In distributed systems, one component of your system is responsible for creating new components. It stores an encrypted data key with each new component. The component first decrypts the data key, then uses the plaintext data key to encrypt data. In this system, the component that creates the system components never sees the plaintext data key.
Reference:
https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html
https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html