AWS Certified Developer – Associate (DVA-C02) — Question 245

A developer needs to use Amazon DynamoDB to store customer orders. The developer’s company requires all customer data to be encrypted at rest with a key that the company generates.

What should the developer do to meet these requirements?

Answer options

• A. Create the DynamoDB table with encryption set to None. Code the application to use the key to decrypt the data when the application reads from the table. Code the application to use the key to encrypt the data when the application writes to the table.
• B. Store the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS customer managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.
• C. Store the key by using AWS Key Management Service (AWS KMS). Create the DynamoDB table with default encryption. Include the kms:Encrypt parameter with the Amazon Resource Name (ARN) of the AWS KMS key when using the DynamoDB software development kit (SDK).
• D. Store the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS AWS managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.

Correct answer: B

Explanation

The correct answer is B because it complies with the requirement for using a customer managed key in AWS KMS, which allows the company to control the encryption key. Option A fails as it does not provide encryption at rest. Option C uses default encryption instead of a customer managed key, and Option D utilizes an AWS managed key, which does not meet the requirement for a key generated by the company.