Your company has a set of files, up to 4 KB each in size, that needs to be encrypted at the client side. Since the company already uses a lot of AWS services, they want to use the AWS KMS CLI to encrypt the data files. Which of the following steps are required in the encryption process? Choose 2 answers from the options given below.

Answer options:

A.Create a new CMK key in the AWS Key Management service.
B.Create a new data key in the AWS Key Management service and fetch the data key through AWS KMS CLI.
C.Use AWS KMS Encrypt CLI to encrypt files using the CMK key.
D.Import the key material while creating the CMK.

Answer – A and C
AWS provides an Amazon encryption client which is embedded into the AWS SDK and CLI.
With client-side encryption using AWS KMS, the customer creates a CMK in KMS associated with Key ID.High-level encryption workflow would be as follows:
File/Object and CMK Key ID is passed to the AWS encryption client using SDK or CLI.
The encryption client requests a data key from KMS using a specified CMK key ID.KMS uses CMK Key ID to generate a unique data encryption key, which the client uses to encrypt the object data.
For more information on client-side encryption using KMS CMK on S3 data, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
Here is the working example for implementing client-side encryption using CMK on KMS:
https://aws.amazon.com/blogs/security/how-to-encrypt-and-decrypt-your-data-with-the-aws-encryption-cli/
Option B is incorrect because when using AWS KMS Encrypt CLI to encrypt files that are less than 4 KB, there is no need to create or fetch data keys.
Option D is incorrect since there is no mention in the question on requiring using your own key material.
For more information on the concepts for the Key Management Service, please visit the below URL
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
Note: 
Options A and C have to be followed in sequence to encrypt the data using client-side encryption using KMS. Data key is generated in the background using KMS using CMK, abstract to the user.