Question #775
A company is using Amazon DynamoDB with server-side encryption enabled. According to the AWS shared responsibility model, which task is the company responsible for?
Maintain the physical security of DynamoDB servers.
Manage the encryption keys used for data protection.
Replace faulty hardware underlying the DynamoDB service.
Apply security patches to DynamoDB backend infrastructure.
Explanation
In the AWS shared responsibility model, AWS manages the security of the cloud (e.g., physical infrastructure, hardware, DynamoDB backend), while the customer is responsible for security in the cloud (e.g., data protection, access controls).
- Option B is correct: When server-side encryption (SSE) is enabled, DynamoDB encrypts data at rest, but the customer is responsible for managing encryption keys (e.g., creating, rotating, or revoking keys via AWS KMS).
- Option A/C/D are incorrect: AWS handles physical security of servers (A), hardware maintenance (C), and backend infrastructure patches (D).
Key Point: For managed services like DynamoDB, customers retain responsibility for data-level controls, including encryption key management.
Answer
The correct answer is: B