AWS Certified Developer – Associate — Question 366

A developer is creating a Java application that will store sensitive data in an Amazon DynamoDB table. The data must be encrypted at all times.

How can the developer meet this requirement?

Answer options

• A. Enable encryption at rest by using an AWS Key Management Service (AWS KMS) AWS owned key for the DynamoDB table.
• B. Enable encryption at rest by using an AWS Key Management Service (AWS KMS) customer managed key for the DynamoDB table.
• C. Implement client-side encryption in the application code by using the DynamoDB Encryption Client.
• D. Use an HTTPS connection to encrypt data in transit.

Correct answer: C

Explanation

To ensure data is encrypted at all times (both in transit and at rest, before even leaving the application), client-side encryption must be implemented using the DynamoDB Encryption Client. Server-side encryption options (A and B) only encrypt the data after it reaches DynamoDB, whereas HTTPS (D) only protects the data while it is in transit. Client-side encryption guarantees that the sensitive data remains encrypted throughout its entire lifecycle, from the application to the database and back.