AWS Certified Developer – Associate — Question 290

A developer is creating an Amazon DynamoDB table by using the AWS CLI. The DynamoDB table must use server-side encryption with an AWS owned encryption key.

How should the developer create the DynamoDB table to meet these requirements?

Answer options

• A. Create an AWS Key Management Service (AWS KMS) customer managed key. Provide the key’s Amazon Resource Name (ARN) in the KMSMasterKeyId parameter during creation of the DynamoDB table.
• B. Create an AWS Key Management Service (AWS KMS) AWS managed key. Provide the key’s Amazon Resource Name (ARN) in the KMSMasterKeyId parameter during creation of the DynamoDB table.
• C. Create an AWS owned key. Provide the key’s Amazon Resource Name (ARN) in the KMSMasterKeyId parameter during creation of the DynamoDB table.
• D. Create the DynamoDB table with the default encryption options.

Correct answer: D

Explanation

By default, Amazon DynamoDB encrypts all user data at rest using an AWS owned key, which is provided at no additional cost. Since default encryption uses the AWS owned key, the developer only needs to create the table with default encryption settings. Specifying a KMSMasterKeyId is only required when using AWS KMS customer managed keys or AWS managed keys.