A company currently has a set of DynamoDB tables already defined and items already exist in the tables.
As per the company's updated security policy, it is now mandated that all data needs to be encrypted at rest? How can this be achieved?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
The AWS Documentation mentions the following.
Encryption at rest can be enabled only when you are creating a new DynamoDB table.
Currently, you can't enable encryption at rest on an existing table.
After encryption at rest is enabled, it can't be disabled.
We recommend that you enable encryption for any tables that contain sensitive data.
Because this is clearly mentioned in the documentation , all other options are incorrect.
For more information on encryption at rest for DynamoDB, please visit the url.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmlTo comply with the updated security policy, the company needs to encrypt all the data at rest in their DynamoDB tables. This can be achieved using the following options:
Option A: Enable encryption for the DynamoDB tables: This option is the most straightforward approach. DynamoDB provides an in-built feature to encrypt the data at rest using the AWS Key Management Service (KMS). By enabling encryption for the DynamoDB tables, all the data written to the table will be automatically encrypted using the default encryption settings. You can also specify your own encryption settings by creating a KMS key and associating it with the DynamoDB table.
Option B: Enable global tables and then enable encryption: Global tables are multi-region, multi-master replication solutions offered by DynamoDB that provide automatic data replication across different regions. By enabling global tables and then enabling encryption, the data will be automatically replicated across regions with encryption enabled.
Option C: Create new tables with encryption enabled: If the company wants to segregate the encrypted and unencrypted data, they can create new DynamoDB tables with encryption enabled and migrate the existing data to the new tables. This option requires additional effort and may impact the application logic that uses the existing tables.
Option D: Use the encryption flag for the table: The DynamoDB encryption flag is a parameter that can be set when creating a new table or updating an existing table. This flag enables encryption at rest for the table using the default KMS key. However, this option is not recommended as it does not provide fine-grained control over encryption settings and KMS key management.
Overall, the most recommended option to achieve the encryption of the existing data in the DynamoDB tables is Option A: Enable encryption for the DynamoDB tables.