AWS KMS CMK’s are being used to provide server-side encryption of DynamoDB tables. The security team wants to audit the CMKs and identify DynamoDB tables using the keys for encryption at rest. What service can be used to perform this activity?

Answer options:

A.CloudWatch
B.CloudTrail
C.AWS Trusted Advisor
D.AWS Config

Answer: B
When DynamoDB uses AWS KMS Customer Managed Keys for server-side encryption, it uses KMS requests (e.g., GenerateDataKey, Decrypt, CreateGrant) for performing various encryption operations. These KMS API operations are logged in CloudTrail logs. Therefore, CloudTrail logs can be used to identify what CMK’s are used by DynamoDB tables. Hence Option B is CORRECT, and
Option A is incorrect.
Option C is incorrect because Trusted Advisor is a service for analyzing AWS resources and infrastructure against AWS best practices.
Option D is incorrect because AWS Config is a service for tracking and monitoring configuration changes of AWS resources.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html#dynamodb-cmk-trail