A company uses Amazon DynamoDB with a global secondary index (GSI) on a table that contains sensitive data. The security team requires that the GSI be encrypted with a different AWS KMS key than the base table. Can this be achieved, and if so, how?
DynamoDB uses one KMS key for the table and all associated indexes.
Why this answer
Option C is correct because DynamoDB encrypts all data at rest using a single KMS key per table. The base table and all of its GSIs are encrypted with the same key. It is not possible to use a different KMS key for a GSI.
Option A is wrong because the GSI cannot have a separate key. Option B is wrong because KMS key policies do not allow per-index encryption. Option D is wrong because the table and its GSIs always use the same key.