Posted On: Dec 13, 2019

Amazon DynamoDB is a fully managed, nonrelational database that delivers reliable performance at any scale. DynamoDB encrypts all your data at rest by default with an Amazon Web Services owned customer master key (CMK), unless you opt to use a Amazon Web Services managed CMK. Starting today, you also can use customer managed CMKs, which means you can have full control over how you encrypt and manage the security of your DynamoDB data. 

When you use customer managed CMKs, you bring your own encryption keys to DynamoDB and use those keys across multiple Amazon Web Services services. You now can create, use, rotate, and destroy encryption keys to help protect sensitive applications, adhere to your organization’s policies, meet compliance and regulatory requirements, and maintain an additional secure copy of your encryption keys outside of Amazon Web Services. You also can use Amazon CloudTrail to monitor detailed auditing information about key creation, usage, and deletion. 

DynamoDB handles the encryption and decryption of your data transparently and continues to deliver the same single-digit-millisecond latency that you have come to expect. All DynamoDB encryption key options use 256-bit Advanced Encryption Standard (AES-256) to help secure your data from unauthorized access to the underlying storage. You do not have to modify your code or application to use and update encryption keys.  

You can use customer managed CMKs to encrypt your data with a single click in the Amazon Web Services Management Console or a simple API call, or with the Amazon Command Line Interface (CLI). There is no additional charge for data encrypted at rest by using an Amazon Web Services owned CMK. Amazon Key Management Service and Amazon CloudTrail charges apply for using customer managed CMKs and Amazon Web Services managed CMKs. 

You can use customer managed CMKs to encrypt your data in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about encryption at rest and how to manage encrypted tables, see Managing Encrypted Tables