DVA-C02 · Question #644
A developer needs to use Amazon DynamoDB to store customer orders. The developer's company requires all customer data to be encrypted at rest with a key that the company generates. What should the dev
The correct answer is B. Store the key by using AW5 KMS. Choose an AVVS KMS customer managed key during creation. Option B is correct because the requirement specifies a key the company generates, which maps directly to an AWS KMS customer managed key (CMK). CMKs are created, owned, and controlled by the customer - the company can define key policies, rotate the key, and audit usage via Clou
Question
A developer needs to use Amazon DynamoDB to store customer orders. The developer's company requires all customer data to be encrypted at rest with a key that the company generates. What should the developer do to meet these requirements?
Options
- ACreate the DynamoDB table with encryption set to None. Code the application to use the key to
- BStore the key by using AW5 KMS. Choose an AVVS KMS customer managed key during creation
- CStore the key by using AWS KMS. Create the DynamoDB table with default encryption. Include
- DStore the key by using AWS KMS. Choose an AWS KMS AWS managed key during creation of
How the community answered
(63 responses)- A3% (2)
- B78% (49)
- C6% (4)
- D13% (8)
Explanation
Option B is correct because the requirement specifies a key the company generates, which maps directly to an AWS KMS customer managed key (CMK). CMKs are created, owned, and controlled by the customer - the company can define key policies, rotate the key, and audit usage via CloudTrail. DynamoDB natively integrates with KMS, so selecting a CMK during table creation satisfies both the encryption-at-rest and key ownership requirements.
Why the distractors fail:
- A - Setting encryption to "None" means data is stored unencrypted, directly violating the requirement.
- C - Default encryption uses an AWS owned key, not a customer-generated one; the company has no control over or visibility into that key.
- D - An AWS managed key is created and managed by AWS on your behalf (not by the company), so the company doesn't "generate" it - this fails the ownership requirement even though KMS is involved.
Memory tip: Associate the phrase "company generates" → Customer Managed Key (CMK). The word "customer" in CMK = you/your company. If AWS owns or manages the key, the company doesn't control it - eliminate those options whenever the question demands company-owned keys.
Topics
Community Discussion
No community discussion yet for this question.