DynamoDB encryption at rest - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

DynamoDB encryption at rest

All user data stored in Amazon DynamoDB is fully encrypted at rest. DynamoDB encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in Amazon Key Management Service (Amazon KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can build security-sensitive applications that meet strict encryption compliance and regulatory requirements.

DynamoDB encryption at rest provides an additional layer of data protection by always securing your data in an encrypted table—including its primary key, local and global secondary indexes, streams, global tables, backups, and DynamoDB Accelerator (DAX) clusters whenever the data is stored in durable media. Organizational policies, industry or government regulations, and compliance requirements often require the use of encryption at rest to increase the data security of your applications.

Encryption at rest integrates with Amazon KMS for managing the encryption keys that are used to encrypt your tables. For more information on key types and states, see Amazon Key Management Service concepts in the Amazon Key Management Service Developer Guide.

When creating a new table, you can choose one of the following Amazon KMS key types to encrypt your table. You can switch between these key types at any time.

  • Amazon owned key – Default encryption type. The key is owned by DynamoDB (no additional charge).

  • Amazon managed key – The key is stored in your account and is managed by Amazon KMS (Amazon KMS charges apply).

  • Customer managed key – The key is stored in your account and is created, owned, and managed by you. You have full control over the KMS key (Amazon KMS charges apply).

For more information on key types, see Customer keys and Amazon keys.

Note

  • When creating a new DAX cluster with encryption at rest enabled, an Amazon managed key will be used to encrypt data at rest in the cluster.

  • If your table has a sort key, some of the sort keys that mark range boundaries are stored in plaintext in the table metadata.

When you access an encrypted table, DynamoDB decrypts the table data transparently. You don't have to change any code or applications to use or manage encrypted tables. DynamoDB continues to deliver the same single-digit millisecond latency that you have come to expect, and all DynamoDB queries work seamlessly on your encrypted data.

You can specify an encryption key when you create a new table or switch the encryption keys on an existing table by using the Amazon Web Services Management Console, Amazon Command Line Interface (Amazon CLI), or the Amazon DynamoDB API. To learn how, see Managing encrypted tables in DynamoDB.

Encryption at rest using the Amazon owned key is offered at no additional charge. However, Amazon KMS charges apply for an Amazon managed key and for a customer managed key. For more information about pricing, see Amazon KMS pricing.

DynamoDB encryption at rest is available in all Amazon Regions, including the Amazon China (Beijing) and Amazon China (Ningxia) Regions and the Amazon GovCloud (US) Regions. For more information, see Encryption at rest: How it works and DynamoDB encryption at rest usage notes.