Exam AWS Certified Security - Specialty topic 1 question 477 discussion

Exam question from Amazon's AWS Certified Security - Specialty

Question #: 477
Topic #: 1

[All AWS Certified Security - Specialty Questions]

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. The company needs to implement a solution that provides end-to-end data protection and the ability to detect unauthorized data changes.

Which solution will meet these requirements?

A. Use an AWS Key Management Service (AWS KMS) customer managed key. Encrypt the data at rest.
B. Use AWS Private Certificate Authority. Encrypt the data in transit.
C. Use the DynamoDB Encryption Client. Use client-side encryption. Sign the table items.
D. Use the AWS Encryption SDK. Use client-side encryption. Sign the table items.

Show Suggested Answer

Suggested Answer: C 🗳️

by cloudenthusiast at June 2, 2023, 6 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

cloudenthusiast

Highly Voted 2 years, 1 month ago

Selected Answer: C

To meet the requirements of providing end-to-end data protection and detecting unauthorized data changes in a web-based application that captures and stores sensitive data in an Amazon DynamoDB table, the most suitable solution would be option C: Use the DynamoDB Encryption Client, use client-side encryption, and sign the table items. The DynamoDB Encryption Client allows you to encrypt the data at the client-side before it is sent to DynamoDB. This ensures that the data is protected both in transit and at rest. By using client-side encryption, the sensitive data remains encrypted throughout its lifecycle, from the moment it leaves the client application until it is stored in DynamoDB. Additionally, signing the table items provides a mechanism for detecting unauthorized data changes. The signature ensures that the data has not been tampered with during transit or storage. If any unauthorized modifications occur, the signature verification will fail, indicating a potential security breach.

upvoted 7 times

...

Raphaello

Most Recent 1 year, 4 months ago

Selected Answer: C

DynamoDB encryption client, and client-side encryption to ensure end-to-end encryption to data, and only allows authorized data changes. C.

upvoted 1 times

...

[Removed]

1 year, 9 months ago

Selected Answer: C

Dated Question but the answer is C https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/client-server-side.html

upvoted 1 times

[Removed]

1 year, 9 months ago

Also from the link above "If you are encrypting data that you store in DynamoDB, we recommend the AWS Database Encryption SDK for DynamoDB. The AWS Encryption SDK is a client-side encryption library that helps you to encrypt and decrypt generic data. Although it can protect any type of data, it isn't designed to work with structured data, like database records. Unlike the AWS Database Encryption SDK for DynamoDB, the AWS Encryption SDK cannot provide item-level integrity checking and it has no logic to recognize attributes or prevent encryption of primary keys. If you use the AWS Encryption SDK to encrypt any element of your table, remember that it isn't compatible with the AWS Database Encryption SDK for DynamoDB. You cannot encrypt with one library and decrypt with the other."

upvoted 1 times

...