Exam AWS Certified Developer Associate topic 1 question 183 discussion

A https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html AWS owned key – Default encryption type. The key is owned by DynamoDB (no additional charge). AWS managed key – The key is stored in your account and is managed by AWS KMS (AWS KMS charges apply). Customer managed key – The key is stored in your account and is created, owned, and managed by you. You have full control over the KMS key (AWS KMS charges apply).

The simplest way to configure encryption server-side is to use the default configurations (KMS Key reserved for DynamoDB). A is correct

The correct answer is A. Create the DynamoDB table by using default encryption settings. Creating a DynamoDB table by using default encryption settings will automatically encrypt the entire table at rest without any additional configuration. This option is the most cost-effective as there are no additional costs for configuring encryption or using additional services. Option B, using the DynamoDB Encryption Client, provides client-side encryption to encrypt data before it is sent to DynamoDB. While this option also encrypts the entire table at rest, it requires additional effort and complexity to implement and manage. Option C, configuring encryption at rest with an AWS KMS AWS managed key, is a good solution for greater control over encryption keys and to meet specific compliance requirements. However, this option incurs additional costs for using AWS KMS. Option D, configuring encryption at rest with an AWS KMS customer managed key, provides even greater control over encryption keys, but also incurs additional costs for using AWS KMS and managing the customer-managed key.

Amazon DynamoDB always encrypts all your data at rest by default to help enhance the security of your DynamoDB data. The only choice a developer has is to choose how this encryption is performed. Reference: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

The answer is A. The question is asking for the most cost-effective option. You need to select the default option which encrypts data at rest using AWS owned key. No encryption charges apply with this option. If you choose any option that involves KMS, remember that it is a paid service and charges will apply.

C The default encryption setting for Amazon DynamoDB is unencrypted

The most cost-effective solution for encrypting an Amazon DynamoDB table at rest would be to enable server-side encryption using AWS KMS (Key Management Service) managed keys. This option is available at no extra charge, and it ensures that all data stored in the table is encrypted. Simply enable server-side encryption using the default KMS key when creating the DynamoDB table.

Default encryption type. The key is owned by DynamoDB (no additional charge).

The default encryption setting for Amazon DynamoDB is unencrypted so A is out. Option B would require the development and maintenance of additional custom code, which would increase costs.

BBBBBB https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/what-is-ddb-encrypt.html

Why not B? Each rule can have up to 5 targets

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html