AWS Certified Security – Specialty — Question 491

Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB.
The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?

Answer options

• A. Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
• B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
• C. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
• D. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

Correct answer: D

Explanation

Using the DynamoDB Java encryption client enables client-side encryption, allowing the organization to retain complete control over their encryption keys before uploading data to DynamoDB. Other options are incorrect because AWS Certificate Manager is not used for encrypting database records, S3 server-side encryption does not apply directly to DynamoDB, and discarding the encrypted data keys would make it impossible to decrypt the data later.