Question

A mobile chat application uses DynamoDB as its database service to provide low latency chat updates. A new developer has joined the team and is reviewing the configuration settings for DynamoDB which have been tweaked for certain technical requirements. CloudTrail service has been enabled on all the resources used for the project. Yet, DynamoDB encryption details are nowhere to be found. Which of the following options can explain the root cause for the given issue?

Options are :
a. By default, all DynamoDB tables are encrypted under AWS managed CMKs, which do not write to CloudTrail logs
b. By default, all DynamoDB tables are encrypted using Data keys, which do not write to CloudTrail logs
c. By default, all DynamoDB tables are encrypted under Customer managed CMKs, which do not write to CloudTrail logs
d. By default, all DynamoDB tables are encrypted under an AWS owned customer master key (CMK), which do not write to CloudTrail logs (Correct)

Answer 1

Encryption details for DynamoDB using AWS owned CMKs are not present in CloudTrail logs because AWS automatically encrypts tables with its own managed keys without user intervention.

Step-by-step explanation:

The student is concerned about not being able to find the encryption details for a DynamoDB instance in the AWS CloudTrail service logs. The correct option that explains this situation is: d. By default, all DynamoDB tables are encrypted under an AWS owned customer master key (CMK), which do not write to CloudTrail logs. When AWS manages the encryption keys, the details of the key usage for the encryption and decryption of DynamoDB tables are not logged by CloudTrail because this is part of the underlying service operation managed by AWS. Encryption with AWS managed CMKs is done automatically, and thus, users do not need to take any action or monitor this component specifically through CloudTrail.