DVA-C02 Question #644: Real Exam Question with Answer & Explanation

Question

A developer needs to use Amazon DynamoDB to store customer orders. The developer's company requires all customer data to be encrypted at rest with a key that the company generates. What should the developer do to meet these requirements?

Options

• ACreate the DynamoDB table with encryption set to None. Code the application to use the key to
• BStore the key by using AW5 KMS. Choose an AVVS KMS customer managed key during creation
• CStore the key by using AWS KMS. Create the DynamoDB table with default encryption. Include
• DStore the key by using AWS KMS. Choose an AWS KMS AWS managed key during creation of

Explanation

Option B is correct because the requirement specifies a key the company generates, which maps directly to an AWS KMS customer managed key (CMK). CMKs are created, owned, and controlled by the customer - the company can define key policies, rotate the key, and audit usage via CloudTrail. DynamoDB natively integrates with KMS, so selecting a CMK during table creation satisfies both the encryption-at-rest and key ownership requirements.

Why the distractors fail:

• A - Setting encryption to "None" means data is stored unencrypted, directly violating the requirement.
• C - Default encryption uses an AWS owned key, not a customer-generated one; the company has no control over or visibility into that key.
• D - An AWS managed key is created and managed by AWS on your behalf (not by the company), so the company doesn't "generate" it - this fails the ownership requirement even though KMS is involved.

Memory tip: Associate the phrase "company generates" → Customer Managed Key (CMK). The word "customer" in CMK = you/your company. If AWS owns or manages the key, the company doesn't control it - eliminate those options whenever the question demands company-owned keys.

No community discussion yet for this question.