nerdexam
Amazon

DVA-C02 · Question #302

A developer is creating an Amazon DynamoDB table by using the AWS CLI. The DynamoDB table must use server-side encryption with an AWS owned encryption key. How should the developer create the DynamoDB

The correct answer is D. Create the DynamoDB table with the default encryption options.. Option D is correct because DynamoDB uses AWS owned encryption keys by default - simply creating a table without specifying any --sse-specification parameter automatically applies AWS owned key encryption, satisfying the requirement at no extra cost. Option A is wrong because a c

Submitted by paula_co· Mar 5, 2026Development with AWS Services

Question

A developer is creating an Amazon DynamoDB table by using the AWS CLI. The DynamoDB table must use server-side encryption with an AWS owned encryption key. How should the developer create the DynamoDB table to meet these requirements?

Options

  • ACreate an AWS Key Management Service (AWS KMS) customer managed key. Provide the key's
  • BCreate an AWS Key Management Service (AWS KMS) AWS managed key. Provide the key's
  • CCreate an AWS owned key. Provide the key's Amazon Resource Name (ARN) in the
  • DCreate the DynamoDB table with the default encryption options.

How the community answered

(31 responses)
  • B
    6% (2)
  • C
    3% (1)
  • D
    90% (28)

Explanation

Option D is correct because DynamoDB uses AWS owned encryption keys by default - simply creating a table without specifying any --sse-specification parameter automatically applies AWS owned key encryption, satisfying the requirement at no extra cost.

Option A is wrong because a customer managed key (CMK) is a key you create and control in AWS KMS. Using one would mean DynamoDB is encrypted with a customer managed key, not an AWS owned key - and it incurs additional KMS charges.

Option B is wrong for the same reason: an AWS managed key (aws/dynamodb) is still stored in your account and visible in KMS. AWS owned keys are different - they live entirely in AWS's account, not yours, and cannot be referenced by ARN.

Option C is wrong because AWS owned keys have no ARN - they are not resources in your account and cannot be referenced or specified in any API call. There is no mechanism to "provide" an AWS owned key ARN.

Memory tip: Think of the three tiers as who owns it - AWS owned (default, invisible, free), AWS managed (your account, AWS controls it), Customer managed (your account, you control it). The question asks for the most hands-off option, which is always the default.

Topics

#DynamoDB#Server-Side Encryption#AWS Owned Keys#Default Encryption

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice