Answer – A and C
AWS provides an Amazon encryption client which is embedded into the AWS SDK and CLI.
With client-side encryption using AWS KMS, the customer creates a CMK in KMS associated with Key ID.High-level encryption workflow would be as follows:
File/Object and CMK Key ID is passed to the AWS encryption client using SDK or CLI.
The encryption client requests a data key from KMS using a specified CMK key ID.KMS uses CMK Key ID to generate a unique data encryption key, which the client uses to encrypt the object data.
For more information on client-side encryption using KMS CMK on S3 data, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
Here is the working example for implementing client-side encryption using CMK on KMS:
https://aws.amazon.com/blogs/security/how-to-encrypt-and-decrypt-your-data-with-the-aws-encryption-cli/
Option B is incorrect because when using AWS KMS Encrypt CLI to encrypt files that are less than 4 KB, there is no need to create or fetch data keys.
Option D is incorrect since there is no mention in the question on requiring using your own key material.
For more information on the concepts for the Key Management Service, please visit the below URL
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
Note:
Options A and C have to be followed in sequence to encrypt the data using client-side encryption using KMS. Data key is generated in the background using KMS using CMK, abstract to the user.