Posted On: Nov 6, 2020
With Amazon DynamoDB global tables, you can give massively scaled, global applications local access to DynamoDB tables for fast read and write performance. All of your data in DynamoDB is encrypted by default using the Amazon Key Management Service (KMS). Starting today, you can now choose a customer managed key for your global tables, giving you full control over the key used for encryption of your DynamoDB data replicated using global tables. Customer managed keys also come with full Amazon CloudTrail monitoring so you can view every time the key was used or accessed.
When you choose to use a customer managed customer master key (CMK) in KMS to protect your data in DynamoDB global tables, each regional replica of your global table requires an in-region customer managed key. There is no additional charge for data encrypted at rest by using a CMK (owned by Amazon Cloud). Amazon Key Management Service and Amazon CloudTrail charges apply for using customer managed CMKs and Amazon Web Services managed CMKs.
You can use customer managed CMKs in all Amazon Web Services Regions in which global tables are available, including the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. For more information about encryption at rest and how to manage encrypted tables, see Managing Encrypted Tables in DynamoDB in the DynamoDB developer guide.