What should the developer do to meet these requirements?
Create the DynamoDB table with encryption set to None. Code the application to use the key to decrypt the data when the application reads from the table. Code the application to use the key to encrypt the data when the application writes to the table.
Store the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS customer managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.
Store the key by using AWS Key Management Service (AWS KMS). Create the DynamoDB table with default encryption. Include the kms:Encrypt parameter with the Amazon Resource Name (ARN) of the AWS KMS key when using the DynamoDB software development kit (SDK).
Store the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS AWS managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.
Explanations:
DynamoDB supports encryption at rest using AWS-managed or customer-managed KMS keys. However, setting encryption to None and manually encrypting and decrypting data in the application is not feasible for meeting the encryption requirements.
This option correctly stores the key in AWS KMS and uses a customer-managed key for encryption at rest. Specifying the KMS key ARN during table creation ensures the data is encrypted with the key that the company generates.
While storing the key in KMS and using it is correct, including the kmsparameter in the SDK is unnecessary, as DynamoDB automatically handles encryption with the specified KMS key.
Using an AWS KMS-managed key (default) does not meet the requirement of using a key that the company generates. The company requires a customer-managed KMS key, not an AWS-managed key.