Free AWS DVA-C01 Actual Exam Questions - Question 7 Discussion
requires all customer data to be encrypted at rest with a ke the company generates.
What should the developer do to meet these requirements?
It’s B because it explicitly requires a customer managed key from AWS KMS for encryption.
C imo, because default encryption with DynamoDB uses AWS owned keys unless you specify a customer managed key. Option C mentions using the kms:Encrypt parameter with the ARN, which suggests explicitly telling DynamoDB to use that customer managed key for encryption operations. That feels like a more hands-on, secure approach compared to B, which is just about choosing a key during table creation but doesn’t mention the encryption parameter during SDK operations. So, C covers both storage and usage of the key properly.
This one seems pretty straightforward if you need to use a key the company generates, which implies a customer managed key. So, option B makes the most sense since it explicitly calls for choosing a customer managed key in KMS during table creation. Option D talks about an AWS managed key, which wouldn’t fit the requirement of using a company-generated key. Option A is basically manual encryption and decryption, which is unnecessary and error-prone here. Option C mixes default encryption with a parameter in the SDK, which isn’t how you enforce the use of a specific customer key at rest. So, B
B imo, uses customer managed key for encryption at rest.