Requirement Summary:
Store customer orders in DynamoDB
Must encrypt data at rest
Company wants to use a key it generates (i.e., customer managed key)
Evaluate Options:
A . Set encryption to None, manually encrypt/decrypt in code
❌ Overhead and error-prone
Also non-compliant with AWS encryption best practices
✅ B . Use customer managed KMS key
✅ Exactly meets the requirement: customer generates and controls the key
During table creation, you can specify a KMS CMK ARN
C . Default encryption + kms:Encrypt in SDK
❌ Misunderstanding: DynamoDB handles encryption automatically
You don’t need to call kms:Encrypt manually in SDK
D . Use AWS managed key
❌ Does not meet the requirement of using custom company-generated key
DynamoDB encryption:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
KMS customer managed keys:
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
