Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For AWS DVA-C02 candidates, the confusion often lies in understanding how CloudFront’s field-level encryption affects data payloads and where decryption must happen.
In production-grade serverless apps, it’s crucial to know precisely where encrypted data remains ciphertext and where you must decrypt using AWS KMS before persisting. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
A startup named NexaForms is building an online form submission service that securely accepts sensitive customer data. The architecture uses Amazon API Gateway to route requests to AWS Lambda functions. These Lambda functions then store the submitted data in an Amazon Aurora MySQL database cluster. Encryption in transit and at rest is a mandatory compliance requirement.
During the testing phase, everything works as expected; data is stored in plaintext format inside the database and encrypted during transit via HTTPS.
The engineering team later adds an Amazon CloudFront distribution configured with field-level encryption using an AWS KMS key to protect sensitive fields as they travel from the client to CloudFront.
After this update, the application behavior changes unexpectedly: the database now contains encrypted ciphertext from CloudFront’s field-level encryption instead of the expected plaintext data.
The developer must ensure that sensitive data does NOT get stored in its encrypted ciphertext form in the database but remains transparently decrypted before storage.
The Requirement: #
Identify the solution that will allow the Lambda functions to store decrypted plaintext data in the database while preserving encryption at transit and rest.
The Options #
- A) Change the CloudFront Viewer protocol policy from “HTTP and HTTPS” to “HTTPS only.”
- B) Add a Lambda function step that uses the KMS key to decrypt the encrypted fields before saving the data to the database.
- C) Enable encryption on the Aurora DB cluster using the same KMS key as CloudFront.
- D) Request and deploy a new SSL certificate for the CloudFront distribution.
Google adsense #
leave a comment:
Correct Answer #
B
Quick Insight: The Developer’s Imperative #
For developers working with encrypted payloads, it’s critical to realize that CloudFront field-level encryption only encrypts data in transit between client and CloudFront. The encrypted (ciphertext) fields are forwarded as-is downstream; they are not automatically decrypted by API Gateway or Lambda.
The Lambda function must explicitly call AWS KMS decrypt APIs or SDK methods to convert ciphertext back into plaintext before saving to the database.
Options related to SSL certs or DB encryption do not influence ciphertext being stored at the application layer.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option B
The Winning Logic #
CloudFront’s field-level encryption is designed to protect specific fields during transit from the viewer (client) to CloudFront. After encryption at CloudFront, the ciphertext travels downstream, including through API Gateway to your Lambda function.
Since the Lambda function receives encrypted fields, it must perform explicit decryption prior to saving to any backend storage. This decryption uses the KMS key that matches the encryption key used in CloudFront.
- The Lambda function should leverage AWS SDK’s KMS client with
DecryptAPI calls to revert ciphertext to plaintext. - This allows compliance with encryption-in-transit requirements while ensuring stored data is in plaintext (or encrypted with a different method, e.g., DB cluster encryption).
The Trap (Distractor Analysis) #
- Option A: Changing protocol policy to HTTPS only secures transport but does NOT affect payload encryption at the application layer or decrypt encrypted fields.
- Option C: Enabling DB encryption protects data at rest but does NOT decrypt ciphertext sent by CloudFront; ciphertext would still be stored as is.
- Option D: SSL certificates govern HTTPS transport channel security but have no impact on application-layer encryption or KMS key usage.
The Technical Blueprint #
Developer CLI / SDK Snippet Example #
import boto3
from base64 import b64decode
kms_client = boto3.client('kms')
def decrypt_field(encrypted_field_b64):
# CloudFront encrypts and base64 encodes fields
ciphertext_blob = b64decode(encrypted_field_b64)
response = kms_client.decrypt(CiphertextBlob=ciphertext_blob)
plaintext = response['Plaintext'].decode('utf-8')
return plaintext
def lambda_handler(event, context):
encrypted_data = event['body']['encryptedField']
decrypted_data = decrypt_field(encrypted_data)
# Proceed to save decrypted_data to Aurora DB
# ...
return {"statusCode": 200, "body": "Data saved successfully"}
The Comparative Analysis #
| Option | API Complexity | Performance Impact | Use Case |
|---|---|---|---|
| A | None | No change | Secures transport but no impact on encrypted payload handling |
| B | Requires KMS Decrypt API call | Moderate (decryption overhead per request) | Correctly handles ciphertext transformation before DB insert |
| C | None (DB Encryption config) | Transparent at DB layer | Protects data at rest but doesn’t affect input ciphertext |
| D | None | No change | HTTPS transport security, unrelated to field encryption |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Lambda decryption logic using KMS when you see CloudFront field-level encrypted payloads.
Real World #
In real production apps, we might combine field-level encryption with fine-grained IAM policies, auditing, and use envelope encryption in the DB for defense in depth. But the core step always remains: decrypt at the application layer before processing or storing.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.