AWS Certified Security – Specialty (SCS-C02) — Question 272

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. The company needs to implement a solution that provides end-to-end data protection and the ability to detect unauthorized data changes.

Which solution will meet these requirements?

Answer options

• A. Use an AWS Key Management Service (AWS KMS) customer managed key. Encrypt the data at rest.
• B. Use AWS Private Certificate Authority. Encrypt the data in transit.
• C. Use the DynamoDB Encryption Client. Use client-side encryption. Sign the table items.
• D. Use the AWS Encryption SDK. Use client-side encryption. Sign the table items.

Correct answer: C

Explanation

The DynamoDB Encryption Client provides client-side encryption and signing capabilities specifically designed for DynamoDB, allowing the application to detect unauthorized modifications and ensure end-to-end security before data is sent to AWS. While the AWS Encryption SDK is a powerful tool for client-side encryption, it does not natively support DynamoDB-specific item attributes and structure. Server-side encryption with AWS KMS and transit encryption with Private CA do not provide end-to-end client-side protection or item-level signing to detect tampering.