In the security quiz, there’s a question about storing credentials, and the answer is to store credentials in an encrypted file in S3. Another answer is to store the creds in DynamoDB, which seems equally reasonable. DynamoDB tables can be encrypted, and access can be restricted just the same as s3, so what makes S3 the better choice?
This is a good example of a subtle nuence that you’ll see on the CSAP exam time and time again. You have to be careful to not fill in stuff that is not explicitly stated in the question. Also, this question is an example of identifying the "least worst" option. We have to pick the best of the offerings even though we know there are better ways.
In this case, DynamoDB is a possibility and we could store the object on an encrypted table or encrypt it via GPG before we store it in Dynamo. We could do many things with many services. However, the answer does not SAY using an encrypted table and thus we must assume that the credentials will be stored in plain text. Therefore, it makes that option "more worse" than the S3 option.
Yes, this may be silly, but it is how the exam is structured so we want to be sure to train you in that mindset.
My thinking was more about costs and operational ease. I chose S3 because having some files in encrypted S3 is significantly cheaper than having a DynamoDB table. It is also easier to manage read rights to specific keys through S3 policies than DynamoDB.