Which solution will meet these requirements?
Use an AWS Key Management Service (AWS KMS) customer managed key. Encrypt the data at rest.
Use AWS Private Certificate Authority. Encrypt the data in transit.
Use the DynamoDB Encryption Client. Use client-side encryption. Sign the table items.
Use the AWS Encryption SDK. Use client-side encryption. Sign the table items.
Explanations:
While using AWS Key Management Service (AWS KMS) with a customer managed key encrypts data at rest, it does not provide end-to-end data protection or detect unauthorized changes. It focuses solely on encryption, lacking mechanisms for integrity checking or detection of unauthorized modifications.
Encrypting data in transit using AWS Private Certificate Authority addresses confidentiality during transmission but does not protect data at rest or provide mechanisms for detecting unauthorized changes. It focuses only on securing data as it moves over the network.
The DynamoDB Encryption Client offers client-side encryption, allowing data to be encrypted before being sent to DynamoDB. It also enables signing of table items, which provides integrity checks to detect unauthorized changes. This option provides end-to-end data protection and the ability to verify data integrity.
The AWS Encryption SDK does provide client-side encryption, but it does not specifically integrate with DynamoDB like the DynamoDB Encryption Client. While it supports data encryption and signing, it may not offer the same ease of use and integration for capturing and storing sensitive data in DynamoDB as option C.