Skip to main content

AWS DVA-C02 Drill: DynamoDB Encryption - Default vs. KMS Key Types

·740 words·4 mins·
Certification Drills AWS DVA-C02 DynamoDB Encryption AWS CLI
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.

For DVA-C02 candidates, confusion frequently arises around how to specify encryption keys via the CLI correctly. In production, it’s vital to understand exactly when to specify KMS keys and when server-side encryption defaults apply. Let’s drill down.

The Certification Drill (Simulated Question)
#

Scenario
#

Zentech, an innovative IoT device software company, is building an application backend that uses Amazon DynamoDB for device telemetry data. The lead developer is automating the provisioning of DynamoDB tables via AWS CLI. Due to compliance requirements, all data must be encrypted at rest using server-side encryption with an AWS owned encryption key (not customer-managed or AWS managed keys).

The Requirement:
#

How should the developer create the DynamoDB table to meet the encryption compliance using the AWS CLI?

The Options
#

  • A) Create a customer managed KMS key in AWS KMS. Provide the key’s Amazon Resource Name (ARN) in the KMSMasterKeyId parameter during the DynamoDB table creation.
  • B) Create an AWS managed KMS key. Provide the key’s ARN in the KMSMasterKeyId parameter during the DynamoDB table creation.
  • C) Use an AWS owned key. Provide the key’s ARN in the KMSMasterKeyId parameter during the DynamoDB table creation.
  • D) Create the DynamoDB table with the default encryption options.

Google adsense
#

leave a comment:

Correct Answer
#

D

Quick Insight: The Developer Imperative
#

The AWS CLI option KMSMasterKeyId is only required when you want to use a customer managed key (CMK) or an AWS managed key. For AWS owned keys, which DynamoDB uses by default, you do not provide any key ID. The table’s default encryption is server-side encryption using AWS owned keys.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option D

The Winning Logic
#

By default, DynamoDB encrypts all tables at rest using AWS owned keys. When you create a DynamoDB table and do not specify the KMSMasterKeyId parameter, server-side encryption automatically applies with AWS owned encryption keys — this meets the compliance need for encryption at rest without any extra management overhead.

  • The CLI does not require specifying a key ID for AWS owned keys.
  • Option A and B involve explicitly providing a key, which is not needed for default AWS owned encryption.
  • Option C is not valid because AWS owned keys are not explicitly addressable or manageable through ARNs — they are managed entirely behind the scenes by AWS.

The Trap (Distractor Analysis):
#

  • Why not A? Creating and specifying a customer managed CMK requires key lifecycle management and permissions, which is beyond the requirement of just using an AWS owned key. Also, the exam specifies AWS owned, not customer managed keys.
  • Why not B? AWS Managed CMKs exist but are still explicitly referenced. If you want the AWS owned key (the simplest, no-management option), you do not specify this.
  • Why not C? AWS owned keys cannot be specified by ARN or manually assigned; they are managed internally by AWS and transparent to you.
  • Only option D correctly leverages the default behavior of DynamoDB encryption.

The Technical Blueprint
# 

# Create DynamoDB table with default server-side encryption (using AWS owned key):
aws dynamodb create-table \
  --table-name ZentechTelemetry \
  --attribute-definitions AttributeName=DeviceId,AttributeType=S \
  --key-schema AttributeName=DeviceId,KeyType=HASH \
  --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
# No KMSMasterKeyId parameter required!

The Comparative Analysis
#

Option API Complexity Encryption Key Type Use Case
A High - specify CMK Customer Managed Key (CMK) When custom key management is required
B Moderate - specify KMS Managed Key ARN AWS Managed Key When using AWS managed CMKs in KMS explicitly
C Invalid AWS Owned Key (not user-visible) Cannot specify ARN, AWS owned keys are implicit
D Low - default behavior AWS Owned Key (default) Default encryption meets compliance effortlessly

Real-World Application (Practitioner Insight)
#

Exam Rule
#

For the exam, always pick default encryption (D) when the question states AWS owned key without mentioning CMKs.

Real World
#

In production, often customers prefer AWS Managed or Customer Managed CMKs for granular control, audit, or cross-account usage. But the simplest solution for baseline encryption is always the AWS owned key.

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the AWS DVA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.