AWS Certified Security – Specialty — Question 477

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. The company needs to implement a solution that provides end-to-end data protection and the ability to detect unauthorized data changes.

Which solution will meet these requirements?

Answer options

• A. Use an AWS Key Management Service (AWS KMS) customer managed key. Encrypt the data at rest.
• B. Use AWS Private Certificate Authority. Encrypt the data in transit.
• C. Use the DynamoDB Encryption Client. Use client-side encryption. Sign the table items.
• D. Use the AWS Encryption SDK. Use client-side encryption. Sign the table items.

Correct answer: C

Explanation

The DynamoDB Encryption Client is specifically designed to perform client-side encryption on DynamoDB items, which encrypts data before it leaves the application and signs the items to detect any unauthorized modifications. While the AWS Encryption SDK is a powerful tool for client-side encryption, it does not natively understand DynamoDB's attribute structure or provide item-level signing. Using KMS customer managed keys or AWS Private CA only protects data at rest or in transit respectively, failing to provide the end-to-end cryptographic signatures needed to detect tampering at the item level.