Question #806
A developer needs to use Amazon DynamoDB to store user profiles. The company mandates that all user data must be encrypted at rest using a key generated and managed by the company.
What should the developer do to fulfill these requirements?
Create the DynamoDB table without encryption. Implement encryption in the application layer, using the company's key to encrypt data before writing to the table and decrypt when reading.
Store the encryption key in AWS KMS as a customer-managed key. Create the DynamoDB table, selecting the AWS KMS customer managed key and providing its ARN.
Use AWS KMS to store the key. Create the DynamoDB table with default encryption. Include the KMS key ARN in the DynamoDB SDK's Encrypt parameter during data operations.
Store the key in AWS KMS using an AWS-managed key. Specify this key's ARN when creating the DynamoDB table.
Explanation
Answer B is correct because:
- DynamoDB natively supports encryption at rest using AWS KMS keys. By creating a customer-managed key (CMK) in KMS and specifying its ARN when creating the DynamoDB table, the company maintains control over the key lifecycle and encryption.
Why other options are incorrect:
- A: Implementing encryption at the application layer adds unnecessary complexity and bypasses DynamoDB's built-in encryption, which is more secure and efficient.
- C: Default DynamoDB encryption uses an AWS-managed key. Including a KMS key ARN in the SDK does not override the table's encryption settings.
- D: AWS-managed keys are controlled by AWS, violating the requirement for company-managed keys.
Key Points:
1. Use DynamoDB's built-in encryption with AWS KMS CMKs for encryption at rest.
2. Specify the CMK ARN during table creation to ensure data is encrypted with the company-managed key.
3. Avoid application-layer encryption when DynamoDB's native encryption meets requirements.
Answer
The correct answer is: B