DVA-C02 · Question #302
A developer is creating an Amazon DynamoDB table by using the AWS CLI. The DynamoDB table must use server-side encryption with an AWS owned encryption key. How should the developer create the DynamoDB
The correct answer is D. Create the DynamoDB table with the default encryption options.. Option D is correct because DynamoDB uses AWS owned encryption keys by default - simply creating a table without specifying any --sse-specification parameter automatically applies AWS owned key encryption, satisfying the requirement at no extra cost. Option A is wrong because a c
Question
A developer is creating an Amazon DynamoDB table by using the AWS CLI. The DynamoDB table must use server-side encryption with an AWS owned encryption key. How should the developer create the DynamoDB table to meet these requirements?
Options
- ACreate an AWS Key Management Service (AWS KMS) customer managed key. Provide the key's
- BCreate an AWS Key Management Service (AWS KMS) AWS managed key. Provide the key's
- CCreate an AWS owned key. Provide the key's Amazon Resource Name (ARN) in the
- DCreate the DynamoDB table with the default encryption options.
How the community answered
(31 responses)- B6% (2)
- C3% (1)
- D90% (28)
Explanation
Option D is correct because DynamoDB uses AWS owned encryption keys by default - simply creating a table without specifying any --sse-specification parameter automatically applies AWS owned key encryption, satisfying the requirement at no extra cost.
Option A is wrong because a customer managed key (CMK) is a key you create and control in AWS KMS. Using one would mean DynamoDB is encrypted with a customer managed key, not an AWS owned key - and it incurs additional KMS charges.
Option B is wrong for the same reason: an AWS managed key (aws/dynamodb) is still stored in your account and visible in KMS. AWS owned keys are different - they live entirely in AWS's account, not yours, and cannot be referenced by ARN.
Option C is wrong because AWS owned keys have no ARN - they are not resources in your account and cannot be referenced or specified in any API call. There is no mechanism to "provide" an AWS owned key ARN.
Memory tip: Think of the three tiers as who owns it - AWS owned (default, invisible, free), AWS managed (your account, AWS controls it), Customer managed (your account, you control it). The question asks for the most hands-off option, which is always the default.
Topics
Community Discussion
No community discussion yet for this question.