nerdexam
Amazon

DVA-C02 · Question #644

A developer needs to use Amazon DynamoDB to store customer orders. The developer's company requires all customer data to be encrypted at rest with a key that the company generates. What should the dev

The correct answer is B. Store the key by using AW5 KMS. Choose an AVVS KMS customer managed key during creation. Option B is correct because the requirement specifies a key the company generates, which maps directly to an AWS KMS customer managed key (CMK). CMKs are created, owned, and controlled by the customer - the company can define key policies, rotate the key, and audit usage via Clou

Submitted by parkjh· Mar 5, 2026Security

Question

A developer needs to use Amazon DynamoDB to store customer orders. The developer's company requires all customer data to be encrypted at rest with a key that the company generates. What should the developer do to meet these requirements?

Options

  • ACreate the DynamoDB table with encryption set to None. Code the application to use the key to
  • BStore the key by using AW5 KMS. Choose an AVVS KMS customer managed key during creation
  • CStore the key by using AWS KMS. Create the DynamoDB table with default encryption. Include
  • DStore the key by using AWS KMS. Choose an AWS KMS AWS managed key during creation of

How the community answered

(63 responses)
  • A
    3% (2)
  • B
    78% (49)
  • C
    6% (4)
  • D
    13% (8)

Explanation

Option B is correct because the requirement specifies a key the company generates, which maps directly to an AWS KMS customer managed key (CMK). CMKs are created, owned, and controlled by the customer - the company can define key policies, rotate the key, and audit usage via CloudTrail. DynamoDB natively integrates with KMS, so selecting a CMK during table creation satisfies both the encryption-at-rest and key ownership requirements.

Why the distractors fail:

  • A - Setting encryption to "None" means data is stored unencrypted, directly violating the requirement.
  • C - Default encryption uses an AWS owned key, not a customer-generated one; the company has no control over or visibility into that key.
  • D - An AWS managed key is created and managed by AWS on your behalf (not by the company), so the company doesn't "generate" it - this fails the ownership requirement even though KMS is involved.

Memory tip: Associate the phrase "company generates"Customer Managed Key (CMK). The word "customer" in CMK = you/your company. If AWS owns or manages the key, the company doesn't control it - eliminate those options whenever the question demands company-owned keys.

Topics

#DynamoDB#AWS KMS#Encryption at Rest#Customer Managed Keys

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice