Amazon DynamoDB
Developer Guide (API Version 2012-08-10)

Encryption at Rest: How It Works

DynamoDB encryption at rest encrypts your data using 256-bit AES encryption, also known as AES-256 encryption, which secures your data from unauthorized access to the underlying storage.

Encryption at rest integrates with AWS Key Management Service (AWS KMS) for managing the encryption key that is used to encrypt your tables.

When creating a new table, you can choose one of the following customer master keys (CMKs) to encrypt your table:

  • AWS owned CMK - Default encryption type. Key is owned by DynamoDB (no additional charge).

  • AWS managed CMK - Key is stored in your account and is managed by AWS AWS KMS (KMS charges apply).

The AWS managed CMK provides these additional features:

  • You can view the CMK and its key policy (You cannot change the key policy).

  • You can audit the encryption and decryption of your DynamoDB table by examining the DynamoDB API calls to AWS KMS using CloudTrail.

AWS managed CMK

Encryption at rest automatically integrates with AWS Key Management Service (AWS KMS) for managing the AWS managed CMK for DynamoDB (aws/dynamodb) that is used to encrypt your tables. If a AWS managed CMK doesn't exist when you create your encrypted DynamoDB table, AWS KMS automatically creates a new key for you. This key is used with encrypted tables that are created in the future. AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud.


Amazon DynamoDB can't read your table data unless it has access to the AWS managed CMK stored in your AWS KMS account. DynamoDB uses envelope encryption and key hierarchy to encrypt data. Your AWS KMS encryption key is used to encrypt the root key of this key hierarchy. For more information, see How Envelope Encryption Works with Supported AWS Services.

DynamoDB does not call KMS for every single DynamoDB operation. The key is refreshed once every five minutes per client connection with active traffic.

You should ensure you have configured the SDK to reuse connections. Otherwise you will experience latencies from DynamoDB having to re-establish new KMS cache entries for each DynamoDB operation, and potentially have to face higher KMS and Cloudtrail costs. For example, to do this using the Node.js SDK, you can create a new https agent with keepAlive turned on. For more information, see Configuring maxSockets in Node.js.

For more information on managing permissions of the AWS managed CMK, see Authorizing Use of the AWS managed CMK.

You can use AWS CloudTrail and Amazon CloudWatch Logs to track the requests that DynamoDB sends to AWS KMS on your behalf. For more information, see Monitoring DynamoDB Interaction with AWS KMS.

On this page: