Encrypting Data at Rest in DynamoDB - Best Practices

How to Encrypt Data at Rest in DynamoDB with .NET Core

Prev Question Next Question

Question

Your company is going to develop an application in .NET Core with DynamoDB.

There is a requirement that all data needs to be encrypted at rest.

If the DynamoDB table has already been created, what else is needed to achieve this?

Answers

A. No additional configurations are required since server-side encryption is enabled on all DynamoDB table data.

B. Enable encryption on the existing table.

C. You cannot enable encryption at rest. Consider using the AWS RDS service instead.

D. You cannot enable encryption at rest. Consider using the S3 service instead.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

Option B is incorrect since Encryption can only be configured during table creation time.

Options C and D are incorrect since Encryption is possible in DynamoDB.The AWS Documentation mentions the following.

Amazon DynamoDB offers fully managed encryption at rest.

DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB.

This functionality eliminates the operational burden and complexity involved in protecting sensitive data.

For more information on DynamoDB Encryption at rest, please refer to the below Link-

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

The correct answer is B. Enable encryption on the existing table.

Amazon DynamoDB provides encryption at rest by encrypting all table data using an AES-256 algorithm. By default, server-side encryption is enabled on all DynamoDB table data. However, this does not mean that encryption is automatically enabled for all existing tables. You must enable encryption for each table individually.

To enable encryption at rest for an existing DynamoDB table, you can perform the following steps:

Open the Amazon DynamoDB console.
Choose the table that you want to encrypt.
Choose the "Manage DynamoDB Encryption" option from the "Actions" dropdown menu.
Choose the KMS key that you want to use to encrypt the table.
Choose the "Encrypt" button.

After you have enabled encryption for a table, all data that is written to the table will be encrypted at rest. Note that you cannot disable encryption after it has been enabled for a table.

Option A is incorrect because while server-side encryption is enabled on all DynamoDB table data, it does not mean that encryption is automatically enabled for all existing tables.

Option C is incorrect because you can enable encryption at rest for DynamoDB tables.

Option D is incorrect because S3 is a different service from DynamoDB, and it does not provide encryption for table data at rest.

Prev Question Next Question