Correct Answer - A, C.
For DynamoDB, you can select an option to encrypt some or all of your tables under a customer-managed CMK or the AWS managed CMK in your account.
For more information on AWS KMS, refer to the following URL-
https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html
DynamoDB supports encryption at rest, which means that your data is encrypted while it is stored in the DynamoDB. By encrypting your data at rest, you can help secure your data from unauthorized access and protect it from security threats.
DynamoDB uses the AWS Key Management Service (KMS) to encrypt your data at rest. When you create a DynamoDB table, you can choose to use either the default encryption key or a customer-managed CMK (Customer Master Key) in KMS to encrypt your data.
The following keys can be used to encrypt the DynamoDB data at rest:
A. A customer-managed CMK in KMS: You can use a customer-managed CMK in KMS to encrypt your DynamoDB data at rest. With this option, you have full control over the encryption key, and you can rotate the key as needed.
B. AWS managed CMK (aws/rds): This key is not applicable for encrypting DynamoDB data. It is used for encrypting Amazon RDS (Relational Database Service) data at rest.
C. AWS managed CMK (aws/dynamoDB): This key is the default encryption key for DynamoDB. When you create a DynamoDB table, it is automatically encrypted using this key.
D. Server-side default encryption key (aws/s3): This key is used for encrypting data at rest in Amazon S3 (Simple Storage Service) and is not applicable for encrypting DynamoDB data.
Therefore, the correct answer is A and C. You can use a customer-managed CMK in KMS or the AWS managed CMK (aws/dynamoDB) to encrypt your DynamoDB data at rest.
