What should the security engineer do next to meet these requirements?
Generate a new AWS Key Management Service (AWS KMS) customer managed key. Import the new key material. Grant DynamoDB access to use the key. Create a new DynamoDB table, and select the new key as the encryption key. Import the data into DynamoDB.
Generate a new AWS Key Management Service (AWS KMS) customer managed key. Import the new key material. Create a new DynamoDB table, and select the new key as the encryption key. Disable the KMS key after table creation. Import the data into DynamoDB.
Generate a new AWS Key Management Service (AWS KMS) AWS managed key. Import the new key material. Grant DynamoDB access to use the key. Create a new DynamoDB table, and select the new key as the encryption key. Import the data into DynamoDB.
Generate a new AWS Key Management Service (AWS KMS) AWS managed key. Import the new key material. Use the AWS SDK integration with AWS KMS to encrypt the data locally by using the new KMS key. Create a new DynamoDB table, and select the new key as the encryption key. Disable the KMS key after table creation. Import the data into DynamoDB.
Explanations:
This option is correct. It involves generating a new AWS KMS customer-managed key, importing the key material from the on-premises HSM, granting DynamoDB access to the key, and selecting the key for encryption in the new DynamoDB table. This approach meets the requirement of using an HSM-generated key for encryption at rest.
This option is incorrect because disabling the KMS key after table creation is not a valid configuration. DynamoDB needs to be able to access the key for ongoing encryption operations, and disabling the KMS key would prevent that.
This option is incorrect because it suggests using an AWS managed KMS key, which does not meet the requirement of using an on-premises HSM to generate and manage the key. The requirement specifies that the encryption key must be generated by the on-premises HSM.
This option is incorrect because it involves encrypting the data locally with the AWS SDK using the KMS key before importing it into DynamoDB. The encryption requirement mandates that DynamoDB itself must use the key directly for encryption at rest, not encryption done locally before importing.
I evaluate that the answer is:
Generate a new AWS Key Management Service (AWS KMS) customer managed key. Import the new key material. Grant DynamoDB access to use the key. Create a new DynamoDB table, and select the new key as the encryption key. Import the data into DynamoDB.