Which DynamoDB feature should the Engineer use to achieve compliance’?
Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
Explanations:
AWS Certificate Manager is used for managing SSL/TLS certificates and cannot be used for encrypting data in DynamoDB. DynamoDB does not integrate directly with certificates for encryption in this context.
S3 server-side encryption (SSE) is related to Amazon S3, not DynamoDB. Moving data from S3 to DynamoDB via S3Copy doesn’t provide the required control over encryption keys in DynamoDB.
Creating a KMS master key and generating per-record data keys is not a fully managed solution in DynamoDB. This approach requires managing encryption keys and cleartext data keys, which contradicts the requirement for customer-provided key management and simplicity.
The DynamoDB Java Encryption Client is designed to provide encryption at the client-side before uploading data to DynamoDB. It allows full control over encryption keys, meeting the compliance requirement for using customer-provided keys.