A healthcare application stores PHI in Amazon DynamoDB. Compliance requires that all data is encrypted at rest using a key that the security team can rotate annually. The application must not experience downtime during key rotation. Which solution meets these requirements?

Answer options:

A.

Use AWS Owned Keys for DynamoDB encryption.

B.

Use AWS KMS Customer Managed Keys for DynamoDB encryption. Enable automatic key rotation in KMS.

C.

Encrypt data in the application layer before writing to DynamoDB. Rotate the keys manually.

D.

Use AWS CloudHSM to generate keys and import them into KMS. Rotate them manually.

How to approach this question

Identify the KMS key type that supports automatic rotation.

Full Answer

B.Use AWS KMS Customer Managed Keys for DynamoDB encryption. Enable automatic key rotation in KMS.✓ Correct

Use AWS KMS Customer Managed Keys for DynamoDB encryption. Enable automatic key rotation in KMS.

AWS KMS Customer Managed Keys support automatic annual rotation. KMS keeps the old backing keys to decrypt existing data, ensuring zero downtime for the application.

Common mistakes

Thinking imported keys support automatic rotation.

Question 30 All questions Question 32

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6

75 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...Hard Q02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...Hard Q03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...Medium Q04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...Hard Q05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium

View all 75 questions →