A company is developing an application that interacts with a DynamoDB table.
There is now a security mandate that all data must be encrypted at rest.
How can you achieve this requirement? (Select TWO)
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A and B.
DynamoDB encryption is mandatory at the time of table creation itself and it is of two types.
i.
DEFAULT method using 'AWS owned key'
ii.
KMS method using 'AWS managed key '
Therefore the following options are correct.
A.
Enable encryption using AWS-owned CMK.
B.
Enable encryption using AWS-managed CMK.
For more information on Encryption at rest for DynamoDB, please refer to the below URL-
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmlTo achieve the requirement of encrypting data at rest in a DynamoDB table, the following two options can be used:
A. Enable encryption using AWS owned key: Amazon DynamoDB provides server-side encryption using AWS managed keys that are unique to your AWS account, and automatically rotate on a regular basis. This encryption is transparent to the application and the SDKs, as DynamoDB automatically encrypts and decrypts the data as needed. By enabling this option, you can ensure that all data stored in the DynamoDB table is encrypted at rest.
B. Enable encryption using AWS managed key: Alternatively, you can enable server-side encryption using AWS Key Management Service (KMS) customer managed keys. This option allows you to use your own keys to encrypt and decrypt the data stored in DynamoDB. With this option, you have greater control over the keys and can audit their usage. This option can also meet compliance requirements for certain regulations.
C. Enable encryption using client keys: Client-side encryption involves encrypting the data before it is sent to DynamoDB and then decrypting it after it is retrieved. This option requires the application to manage the encryption keys and can add additional complexity and management overhead.
D. Enable your application to use the SDK to decrypt the data: This option is not relevant for encrypting data at rest in DynamoDB, as it focuses on decrypting the data after it has been retrieved from the table.
In summary, the recommended options to achieve the requirement of encrypting data at rest in a DynamoDB table are to enable encryption using AWS-owned or AWS-managed keys.