1. A data pipeline writes highly sensitive PII records to Amazon DynamoDB. The security team requires that data is encrypted at rest using a customer-managed key (CMK) so that the company retains full control over key rotation and revocation. Which configuration satisfies this requirement?
- A. Enable DynamoDB encryption at rest and select AWS owned key (default); DynamoDB manages all key material automatically
- B. Enable DynamoDB encryption at rest and select AWS managed key (aws/dynamodb); AWS rotates the key automatically each year
- C. Enable DynamoDB encryption at rest and select a customer-managed KMS key (CMK) created in AWS KMS; configure manual or automatic key rotation as required✓ Correct
- D. Enable DynamoDB Point-in-Time Recovery (PITR) and configure client-side encryption using the AWS Encryption SDK before writing records
Explanation
Only a customer-managed KMS key (CMK) gives the company full control over key policies, rotation schedules, and the ability to revoke access by disabling the key. Option A (AWS owned key) is managed entirely by AWS and cannot be controlled, rotated, or revoked by the customer. Option B (AWS managed key) is managed by AWS on behalf of the customer—AWS controls rotation, and the customer cannot disable it directly. Option D (client-side encryption with PITR) addresses encryption but does not use KMS-managed server-side encryption; PITR is a backup feature, not an encryption control.