ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 2.3: Security ControlsDynamoDBSaaSKMSSecurity

AWS SAP-C02 · Question 68 · Domain 2.3: Security Controls

A company is designing a multi-tenant SaaS application on AWS. They need to isolate the data of each tenant. The application uses Amazon DynamoDB. Some tenants have very strict compliance requirements and demand that their data is encrypted with their own KMS key. Other tenants are fine with standard encryption. What is the MOST scalable way to design the DynamoDB architecture?

Answer options:

A.

Use a single DynamoDB table for all tenants. Encrypt the table with an AWS Managed Key.

B.

Use a single DynamoDB table for all tenants. Implement client-side encryption in the application using each tenant's KMS key before writing to DynamoDB.

C.

Create a separate DynamoDB table for every single tenant and encrypt each with their own KMS key.

D.

Use a single DynamoDB table and configure item-level KMS encryption natively in DynamoDB.

How to approach this question

Identify how to apply different encryption keys to different items in a single database.

Full Answer

B.Use a single DynamoDB table for all tenants. Implement client-side encryption in the application using each tenant's KMS key before writing to DynamoDB.✓ Correct
Use a separate DynamoDB table for the strict-compliance tenants, encrypted with their CMK. Use a shared table for the other tenants.
DynamoDB natively supports encryption at rest at the table level. To use different KMS keys for different tenants within the same table (the most scalable SaaS pattern), you must use client-side encryption (e.g., using the AWS Encryption SDK) before writing the data to DynamoDB.

Common mistakes

Assuming DynamoDB supports native item-level KMS encryption.
67All questions69

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its network architecture across 50 AWS accounts. They require ...HardQ02A financial services company uses AWS Organizations to manage 100+ accounts. The security team ma...MediumQ03An e-commerce company requires a multi-region active-active architecture for its critical order p...MediumQ04A company is setting up a new AWS environment using AWS Control Tower. They need to ensure that a...HardQ05An enterprise has 50 AWS accounts under AWS Organizations. They want to implement a chargeback mo...Medium
View all 75 questions →