ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 81 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 81
Topic #: 1
[All AWS Certified Security - Specialty Questions]

Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB.
The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?

  • A. Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
  • B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
  • C. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
  • D. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by polo at Sept. 4, 2019, 3:32 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
polo
Highly Voted 3 years, 7 months ago
D is the right answer: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/what-is-ddb-encrypt.html Java client lets you use any crypto engine to encrypt before uploading
upvoted 27 times
duduga40
3 years, 7 months ago
I think D
upvoted 3 times
...
...
RajAWSDevOps007
Most Recent 4 months ago
Selected Answer: D
D is correct. Ask is to use DynamoDB feature to encrypt with customer control
upvoted 1 times
...
Dave1234532
11 months ago
Selected Answer: D
Old question. The client has been renamed to AWS Database Encryption SDK Source: https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/DDBEC-rename.html If you get this question on the exam, note the name change.
upvoted 1 times
...
Raphaello
1 year, 2 months ago
Selected Answer: D
Using DynamoDB Encryption Client.
upvoted 1 times
...
Blue15
1 year, 11 months ago
Selected Answer: D
I think that`s right. D
upvoted 1 times
...
sapien45
2 years, 8 months ago
Selected Answer: D
You can use the DynamoDB Encryption Client with encryption keys from any source, including your custom implementation or a cryptography service After you create and configure the required components, the DynamoDB Encryption Client transparently encrypts and signs your table items when you add them to a table, and verifies and decrypts them when you retrieve them
upvoted 1 times
...
Malluchan
3 years ago
Selected Answer: D
Answer is D
upvoted 1 times
...
Radhaghosh
3 years, 3 months ago
Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
upvoted 1 times
...
LearnMeSomeAWS
3 years, 3 months ago
a certificate from ACM isnt a customer managed key either
upvoted 2 times
...
ChauPhan
3 years, 5 months ago
A,B are not relevant. C is incorrect. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. => you don't need to create per-record data key. Let's think you have 10 millions record, will you create corresponding 10 millions data key to encrypt them? Dispose of the cleartext and encrypted data keys after encryption without storing. ==> If we dispose encrypted data keys without storing then how we decrypt back the data :D
upvoted 3 times
...
EA_Practice
3 years, 6 months ago
After finding this: aws.amazon.com/about-aws/whats-new/2019/11/encrypt-your-amazon-dynamodb-data-by-using-your-own-encryption-keys/ inclined to accept C as the right response. Any objections ?
upvoted 1 times
EA_Practice
3 years, 6 months ago
and this: docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html does not make use of a client.
upvoted 1 times
MartNobel
3 years, 6 months ago
Yes, you're correct!
upvoted 1 times
...
...
ChauPhan
3 years, 5 months ago
"Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS". It is wrong because there is no need to create PER-RECORD data key and encrypt data prior to uploading to DynamoDB. Think about you have 1 million and you create 1 millions data key :D The correct answer should be: you create just one Customer-CMK and use it to create encrypt DynamoDB tables/data.
upvoted 1 times
ChauPhan
3 years, 5 months ago
Furthermore: "Dispose of the cleartext and encrypted data keys after encryption without storing". We have 1 million record => 1 millions data keys ==> dispose these 1 million encrypted data keys without storing. So how can we decrypt back the data? :D
upvoted 1 times
...
...
hubekpeter
2 years, 5 months ago
You are encrypting data on a table level.
upvoted 1 times
...
...
sanjaym
3 years, 6 months ago
Ans: D 100%
upvoted 1 times
EA_Practice
3 years, 6 months ago
your contributions are indispensable
upvoted 2 times
...
...
Edgecrusher77
3 years, 6 months ago
Yes D is correct, but what about encryption at Rest & KMS ….
upvoted 1 times
...
NANDY666
3 years, 6 months ago
D is Correct
upvoted 1 times
...
kalzht00
3 years, 6 months ago
The question asks the DynamoDB feature - So it should be D
upvoted 1 times
...
shooricg
3 years, 6 months ago
Yeah, I hear you guys say D, but wouldn't this change application that is sending the data. and wouldn't the security engineer need to understand Java and python. But with B, all they would to know is was services
upvoted 1 times
shooricg
3 years, 6 months ago
Ok, I'm wrong the question asks what feature of dynamodb to use. not process.
upvoted 2 times
...
...
devjava
3 years, 6 months ago
Ans > D https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/what-is-ddb-encrypt.html
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago