Encryption at rest: How it works - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Encryption at rest: How it works

Amazon DynamoDB encryption at rest encrypts your data using 256-bit Advanced Encryption Standard (AES-256), which helps secure your data from unauthorized access to the underlying storage.

Encryption at rest integrates with Amazon Key Management Service (Amazon KMS) for managing the encryption key that is used to encrypt your tables.

When creating a new table or switching the encryption keys on an existing table, you can choose one of the following Amazon KMS keys:

  • Amazon owned key – Default encryption type. The key is owned by DynamoDB (no additional charge).

  • Amazon managed key – The key is stored in your account and is managed by Amazon KMS (Amazon KMS charges apply).

  • Customer managed key – The key is stored in your account and is created, owned, and managed by you. You have full control over the KMS key (Amazon KMS charges apply).

Amazon owned keys

Amazon owned keys are not stored in your Amazon account. They are part of a collection of KMS keys that Amazon owns and manages for use in multiple Amazon accounts. Amazon services can use Amazon owned keys to protect your data.

You cannot view, manage, or use Amazon owned keys, or audit their use. However, you do not need to do any work or change any programs to protect the keys that encrypt your data.

You are not charged a monthly fee or a usage fee for use of Amazon owned keys, and they do not count against Amazon KMS quotas for your account.

Amazon managed keys

Amazon managed keys are KMS keys in your account that are created, managed, and used on your behalf by an Amazon service that is integrated with Amazon KMS. You can view the Amazon managed keys in your account, view their key policies, and audit their use in Amazon CloudTrail logs. However, you cannot manage these KMS keys or change their permissions.

Encryption at rest automatically integrates with Amazon KMS for managing the Amazon managed key for DynamoDB (aws/dynamodb) that is used to encrypt your tables. If an Amazon managed key doesn't exist when you create your encrypted DynamoDB table, Amazon KMS automatically creates a new key for you. This key is used with encrypted tables that are created in the future. Amazon KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud.

For more information about managing permissions of the Amazon managed key, see Authorizing use of the Amazon managed key in the Amazon Key Management Service Developer Guide.

Customer managed keys

Customer managed keys are KMS keys in your Amazon account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants; enabling and disabling them; rotating their cryptographic material; adding tags; creating aliases that refer to them; and scheduling them for deletion. For more information about managing permissions of a customer managed key, see Customer managed key policy.

When you specify a customer managed key as the table-level encryption key, the DynamoDB table, local and global secondary indexes, and streams are encrypted with the same customer managed key. On-demand backups are encrypted with the table-level encryption key that is specified at the time the backup is created. Updating the table-level encryption key does not change the encryption key that is associated with existing on-demand backups.

Setting the state of the customer managed key to disabled or scheduling it for deletion prevents all users and the DynamoDB service from being able to encrypt or decrypt data and to perform read and write operations on the table. DynamoDB must have access to your encryption key to ensure that you can continue to access your table and to prevent data loss.

If you disable your customer managed key or schedule it for deletion, your table status becomes Inaccessible. To ensure that you can continue working with the table, you must provide DynamoDB access to the specified encryption key within seven days. As soon as the service detects that your encryption key is inaccessible, DynamoDB sends you an email notification to alert you.

Note
  • If your customer managed key remains inaccessible to the DynamoDB service for longer than seven days, the table is archived and can no longer be accessed. DynamoDB creates an on-demand backup of your table, and you are billed for it. You can use this on-demand backup to restore your data to a new table. To initiate the restore, the last customer managed key on the table must be enabled, and DynamoDB must have access to it.

  • If your customer managed key that was used to encrypt a global table replica is inaccessible DynamoDB will remove this replica from the replication group. The replica will not be deleted and replication will stop from and to this region, 20 hours after detecting the customer managed key as inaccessible.

Notes on using Amazon managed keys

Amazon DynamoDB can't read your table data unless it has access to the KMS key stored in your Amazon KMS account. DynamoDB uses envelope encryption and key hierarchy to encrypt data. Your Amazon KMS encryption key is used to encrypt the root key of this key hierarchy. For more information, see Envelope encryption in the Amazon Key Management Service Developer Guide.

You can use Amazon CloudTrail and Amazon CloudWatch Logs to track the requests that DynamoDB sends to Amazon KMS on your behalf. For more information, see Monitoring DynamoDB interaction with Amazon KMS in the Amazon Key Management Service Developer Guide.

DynamoDB doesn't call Amazon KMS for every DynamoDB operation. The key is refreshed once every 5 minutes per client connection with active traffic.

Ensure that you have configured the SDK to reuse connections. Otherwise, you will experience latencies from DynamoDB having to reestablish new Amazon KMS cache entries for each DynamoDB operation. In addition, you might potentially have to face higher Amazon KMS and CloudTrail costs. For example, to do this using the Node.js SDK, you can create a new HTTPS agent with keepAlive turned on. For more information, see Configuring maxSockets in Node.js in the Amazon SDK for JavaScript Developer Guide.