AWS Certified Security – Specialty — Question 279

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes. The software engineering team needs to make changes that will address the audit findings.
Which set of steps should the software engineering team take?

Answer options

• A. Use an AWS Key Management Service (AWS CMK) CMK. Encrypt the data at rest.
• B. Use AWS Certificate Manager (ACM) Private Certificate Authority. Encrypt the data in transit.
• C. Use a DynamoDB encryption client. Use client-side encryption and sign the table items.
• D. Use the AWS Encryption SDK. Use client-side encryption and sign the table items.

Correct answer: C

Explanation

The Amazon DynamoDB Encryption Client is specifically designed to provide end-to-end protection for DynamoDB data by encrypting and signing table items before they are sent to the database. This client-side encryption ensures that data is protected in transit and at rest, while the digital signatures allow the application to detect any unauthorized modifications to the records. Other solutions like KMS default encryption or the general AWS Encryption SDK do not natively support the specialized structure and item-level signing required for DynamoDB tables.