Amazon DynamoDB
Developer Guide (API Version 2012-08-10)

DAX Encryption at Rest

DAX encryption at rest provides an additional layer of data protection by securing your data from unauthorized access to the underlying storage. Organizational policies, industry or government regulations, and compliance requirements might require the use of encryption at rest to protect your data. You can use encryption to increase the data security of your applications that are deployed in the cloud.

With encryption at rest, the data persisted by DAX on disk will be encrypted using 256-bit AES encryption, also known as AES-256 encryption. DAX writes data to disk as part of propagating changes from the primary node to read replicas.

DAX encryption at rest automatically integrates with AWS Key Management Service (AWS KMS) for managing the single service default key that is used to encrypt your clusters. If a service default key doesn't exist when you create your encrypted DAX cluster, AWS KMS automatically creates a new key for you. This key is used with encrypted clusters that are created in the future. AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud.

After your data is encrypted, DAX handles decryption of your data transparently with minimal impact on performance. You don't need to modify your applications to use encryption.


DAX does not call KMS for every single DAX operation. DAX only uses the key at cluster launch. Even if access is revoked, DAX can still access the data until the cluster is shut down. Customer-specified AWS KMS keys are not supported.

DAX encryption at rest is available for the following cluster node types:

Family Node Type

Memory optimized (R4)







General purpose (T2)




DAX encryption at rest is not supported for dax.r3.* node types.

You cannot enable or disable encryption at rest after a cluster has been created. You must re-create the cluster to enable encryption at rest if it was not enabled at creation.

DAX encryption at rest is offered at no additional cost (KMS encryption key usage charges apply). For information on pricing, see Amazon DynamoDB Pricing.

Enabling Encryption at Rest (Console)

Follow these steps to enable DAX encryption at rest on a table using the console.

  1. Sign in to the AWS Management Console and open the DynamoDB console at

  2. In the navigation pane on the left side of the console under DAX, choose Clusters.

  3. Choose Create Cluster. For the Cluster name, type a short name for your cluster. Choose the node type for all of the nodes in the cluster, and for the cluster size, use 3 nodes. In Encryption, make sure that Enable encryption is selected.

            Screenshot of cluster settings in the console showing the enable encryption
  4. After choosing the IAM role, subnet group, security groups and cluster settings, choose Launch cluster.

To confirm that the cluster is encrypted, check the cluster details under the Clusters pane. Encryption should be ENABLED.