DVA-C02 Question #264: Real Exam Question with Answer & Explanation

Question

A developer needs to use Amazon DynamoDB to store customer orders. The developer's company requires all customer data to be encrypted at rest with a key that the company generates. What should the developer do to meet these requirements?

Options

• ACreate the DynamoDB table with encryption set to None. Code the application to use the key to
• BStore the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS
• CStore the key by using AWS Key Management Service (AWS KMS). Create the DynamoDB table
• DStore the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS AWS

Explanation

To use a company-generated encryption key for DynamoDB at rest, the key must be stored in AWS KMS as a customer managed key (CMK) and the DynamoDB table must be configured to use that CMK.

Common mistakes.

• A. Setting encryption to None and handling encryption in application code is error-prone, bypasses DynamoDB's native encryption integration, and does not use KMS for key management as intended.
• C. This option is a distractor; while storing the key in KMS is correct, the specifics of this choice conflict with using a true customer managed key (CMK) versus an AWS managed key, or the table configuration is incorrect.
• D. Using an AWS managed KMS key means AWS controls the key material and rotation, which does not satisfy the requirement that the company generates and controls the key.

Concept tested. DynamoDB encryption at rest with customer managed KMS key

Reference. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

No community discussion yet for this question.