As a DevOps engineer, you need to maintain Jenkins pipelines. Recently, you have created a new pipeline for a migration project. In one stage, you encrypted a file with below command.
aws kms encrypt \
--key-id 1234abcd-fa85-46b5-56ef-1234567890ab \
--plaintext fileb://ExamplePlaintextFile \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile
A CMK key was used in the encryption operation. Then in another stage, the encrypted file needs to be decrypted with "aws kms decrypt". In terms of the decryption command, which statement is correct?

Answer options:

A.The CMK key ID is needed for "aws kms decrypt".
B.The CMK key ARN is needed for "aws kms decrypt".
C.The encrypted data key is needed for "aws kms decrypt".
D.There is no need to add the CMK key information for this command.

Correct Answer – D
Check the below links for how to use KMS encrypt/decrypt.
KMS encrypt: https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html.
KMS decrypt: https://docs.aws.amazon.com/cli/latest/reference/kms/decrypt.html.
Options A~B are incorrect: The AWS CLI "aws kms decrypt" has the below format:
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--output text \
--query Plaintext | base64 --decode > ExamplePlaintextFile
There is no need to add the key information. This is different from "aws kms encrypt".
Option C is incorrect: Because the encryption does not use the data key, so does the decryption.
Option D is CORRECT: Refer to the above explanations.