Posted On: Dec 13, 2019

Amazon DynamoDB is a fully managed, nonrelational database that delivers reliable performance at any scale. DynamoDB encrypts all your data at rest by default with an AWS owned customer master key (CMK), unless you opt to use a AWS managed CMK. Starting today, you also can use customer managed CMKs, which means you can have full control over how you encrypt and manage the security of your DynamoDB data. 

When you use customer managed CMKs, you bring your own encryption keys to DynamoDB and use those keys across multiple AWS services. You now can create, use, rotate, and destroy encryption keys to help protect sensitive applications, adhere to your organization’s policies, meet compliance and regulatory requirements, and maintain an additional secure copy of your encryption keys outside of AWS. You also can use AWS CloudTrail to monitor detailed auditing information about key creation, usage, and deletion. 

DynamoDB handles the encryption and decryption of your data transparently and continues to deliver the same single-digit-millisecond latency that you have come to expect. All DynamoDB encryption key options use 256-bit Advanced Encryption Standard (AES-256) to help secure your data from unauthorized access to the underlying storage. You do not have to modify your code or application to use and update encryption keys.  

You can use customer managed CMKs to encrypt your data with a single click in the AWS Management Console or a simple API call, or with the AWS Command Line Interface (CLI). There is no additional charge for data encrypted at rest by using an AWS owned CMK. AWS Key Management Service and AWS CloudTrail charges apply for using customer managed CMKs and AWS managed CMKs. 

You can use customer managed CMKs to encrypt your data in the AWS China (Beijing) Region, operated by Sinnet, and the AWS China (Ningxia) Region, operated by NWCD. To learn more about encryption at rest and how to manage encrypted tables, see Managing Encrypted Tables