Q51 — AWS DVA-C02 Ch.2
Question 51 of 100 | ← Chapter 2
A developer needs to use Amazon DynamoDB to store customer orders. The company requires static encryption of all customer data using a company-generated key. What should the developer do to meet these requirements?
- A. Create a DynamoDB table with encryption set to None. Code the application to decrypt data using the key when reading from the table and encrypt data using the key when writing to the table.
- B. Use AWS Key Management Service (AWS KMS) to store the key. During DynamoDB table creation, select an AWS KMS customer-managed key and provide the Amazon Resource Name (ARN) of the AWS KMS key. ✓
- C. Use AWS Key Management Service (AWS KMS) to store the key. Create the DynamoDB table with default encryption. When using the DynamoDB SDK, include the kms:Encrypt parameter with the ARN of the AWS KMS key.
- D. Use AWS Key Management Service (AWS KMS) to store the key. During DynamoDB table creation, select an AWS KMS AWS-managed key and provide the Amazon Resource Name (ARN) of the AWS KMS key.
Correct Answer: B. Use AWS Key Management Service (AWS KMS) to store the key. During DynamoDB table creation, select an AWS KMS customer-managed key and provide the Amazon Resource Name (ARN) of the AWS KMS key.
Explanation
Option B is correct. To meet the requirement of using a company-generated key for static encryption of customer data in DynamoDB, AWS Key Management Service (AWS KMS) must be used to store the key. During DynamoDB table creation, selecting an AWS KMS customer-managed key and providing its ARN ensures that customer data is encrypted at rest using the specified key, satisfying the company’s requirement. Option A does not leverage native DynamoDB encryption. Option C’s default encryption may not use the required company-generated key. Option D uses an AWS-managed key, not a customer-managed key, violating the requirement to use a company-generated key. 【Lantern Certification provided by: swufelp1999】