AWS Certified Security – Specialty — Question 448
A company's application uses Amazon DynamoDB to store data. The company's security policy requires all data to be encrypted at rest. The security policy also requires the company to use an on-premises hardware security module (HSM) to generate and manage the company's encryption keys.
A security engineer uses the on-premises HSM to generate an encryption key.
What should the security engineer do next to meet these requirements?
Answer options
- A. Generate a new AWS Key Management Service (AWS KMS) customer managed key. Import the new key material. Grant DynamoDB access to use the key. Create a new DynamoDB table, and select the new key as the encryption key. Import the data into DynamoDB.
- B. Generate a new AWS Key Management Service (AWS KMS) customer managed key. Import the new key material. Create a new DynamoDB table, and select the new key as the encryption key. Disable the KMS key after table creation. Import the data into DynamoDB.
- C. Generate a new AWS Key Management Service (AWS KMS) AWS managed key. Import the new key material. Grant DynamoDB access to use the key. Create a new DynamoDB table, and select the new key as the encryption key. Import the data into DynamoDB.
- D. Generate a new AWS Key Management Service (AWS KMS) AWS managed key. Import the new key material. Use the AWS SDK integration with AWS KMS to encrypt the data locally by using the new KMS key. Create a new DynamoDB table, and select the new key as the encryption key. Disable the KMS key after table creation. Import the data into DynamoDB.
Correct answer: A
Explanation
To use key material generated by an on-premises HSM, a customer managed key in AWS KMS must be used, as AWS managed keys do not support importing external key material. DynamoDB must have continuous access to this KMS key to perform encryption and decryption operations at rest, meaning the key cannot be disabled. Therefore, generating a customer managed key, importing the material, granting DynamoDB access, and creating the table with this key is the correct procedure.