How Amazon DynamoDB uses Amazon KMS - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How Amazon DynamoDB uses Amazon KMS

Amazon DynamoDB is a fully managed, scalable NoSQL database service. DynamoDB integrates with Amazon Key Management Service (Amazon KMS) to support the encryption at rest server-side encryption feature.

With encryption at rest, DynamoDB transparently encrypts all customer data in a DynamoDB table, including its primary key and local and global secondary indexes, whenever the table is persisted to disk. (If your table has a sort key, some of the sort keys that mark range boundaries are stored in plaintext in the table metadata.) When you access your table, DynamoDB decrypts the table data transparently. You do not need to change your applications to use or manage encrypted tables.

Encryption at rest also protects DynamoDB streams, global tables, and backups whenever these objects are saved to durable media. Statements about tables in this topic apply to these objects, too.

All DynamoDB tables are encrypted. There is no option to enable or disable encryption for new or existing tables. By default, all tables are encrypted under an Amazon owned key in the DynamoDB service account. However, you can select an option to encrypt some or all of your tables under a customer managed key or the Amazon managed key for DynamoDB in your account.

For details about Amazon DynamoDB support for KMS keys, see DynamoDB encryption at rest in the Amazon DynamoDB Developer Guide.