Managing encrypted tables in DynamoDB
You can use the AWS Management Console or the AWS Command Line Interface (AWS CLI) to specify the encryption key on new tables and update the encryption keys on existing tables in Amazon DynamoDB.
Specifying the encryption key for a new table
Follow these steps to specify the encryption key on a new table using the Amazon DynamoDB console or the AWS CLI.
Creating an encrypted table (console)
Sign in to the AWS Management Console and open the DynamoDB console at https://console.aws.amazon.com/dynamodb/
. -
In the navigation pane on the left side of the console, choose Tables.
-
Choose Create Table. For the Table name, enter
Music
. For the primary key, enterArtist
, and for the sort key, enterSongTitle
, both as strings. -
In Settings, make sure that Customize settings is selected.
Note
If Use default settings is selected, tables are encrypted at rest with the AWS owned key at no additional cost.
-
Under Encryption at rest, choose an encryption type - AWS owned key, AWS managed key, or customer managed key.
-
Owned by Amazon DynamoDB. AWS owned key, specifically owned and managed by DynamoDB. You are not charged an additional fee for using this key.
-
AWS managed key. Key alias:
aws/dynamodb
. The key is stored in your account and is managed by AWS Key Management Service (AWS KMS). AWS KMS charges apply. -
Stored in your account, and owned and managed by you. Customer managed key. The key is stored in your account and is managed by AWS Key Management Service (AWS KMS). AWS KMS charges apply.
Note
If you select to own and manage your own key, make sure the KMS Key Policy is appropriately set. For more information including examples, see Key policy for a customer managed key.
-
-
Choose Create table to create the encrypted table. To confirm the encryption type, select the table details on the Overview tab and review the Additional details section.
Creating an encrypted table (AWS CLI)
Use the AWS CLI to create a table with the default AWS owned key, the AWS managed key, or a customer managed key for Amazon DynamoDB.
To create an encrypted table with the default AWS owned key
-
Create the encrypted
Music
table as follows.aws dynamodb create-table \ --table-name Music \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ --key-schema \ AttributeName=Artist,KeyType=HASH \ AttributeName=SongTitle,KeyType=RANGE \ --provisioned-throughput \ ReadCapacityUnits=10,WriteCapacityUnits=5
Note
This table is now encrypted using the default AWS owned key in the DynamoDB service account.
To create an encrypted table with the AWS managed key for DynamoDB
-
Create the encrypted
Music
table as follows.aws dynamodb create-table \ --table-name Music \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ --key-schema \ AttributeName=Artist,KeyType=HASH \ AttributeName=SongTitle,KeyType=RANGE \ --provisioned-throughput \ ReadCapacityUnits=10,WriteCapacityUnits=5 \ --sse-specification Enabled=true,SSEType=KMS
The
SSEDescription
status of the table description is set toENABLED
and theSSEType
isKMS
."SSEDescription": { "SSEType": "KMS", "Status": "ENABLED", "KMSMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-a123-ab1234a1b234", }
To create an encrypted table with a customer managed key for DynamoDB
-
Create the encrypted
Music
table as follows.aws dynamodb create-table \ --table-name Music \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ --key-schema \ AttributeName=Artist,KeyType=HASH \ AttributeName=SongTitle,KeyType=RANGE \ --provisioned-throughput \ ReadCapacityUnits=10,WriteCapacityUnits=5 \ --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234
The
SSEDescription
status of the table description is set toENABLED
and theSSEType
isKMS
."SSEDescription": { "SSEType": "KMS", "Status": "ENABLED", "KMSMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-a123-ab1234a1b234", }
Updating an encryption key
You can also use the DynamoDB console or the AWS CLI to update the encryption keys of an existing table between an AWS owned key, AWS managed key, and customer managed key at any time.
Updating an encryption key (console)
Sign in to the AWS Management Console and open the DynamoDB console at https://console.aws.amazon.com/dynamodb/
. -
In the navigation pane on the left side of the console, choose Tables.
-
Choose the table that you want to update.
-
Select the Actions dropdown, and then select the Update settings option.
-
Go to the Additional settings tab.
-
Under Encryption, choose Manage encryption.
-
Choose an encryption type:
-
Owned by Amazon DynamoDB. The AWS KMS key is owned and managed by DynamoDB. You are not charged an additional fee for using this key.
-
AWS managed key Key alias:
aws/dynamodb
. The key is stored in your account and is managed by AWS Key Management Service. (AWS KMS). AWS KMS charges apply. -
Stored in your account, and owned and managed by you. The key is stored in your account and is managed by AWS Key Management Service. (AWS KMS). AWS KMS charges apply.
Note
If you select to own and manage your own key, make sure the KMS Key Policy is appropriately set. For more information see Key policy for a customer managed key.
Then choose Save to update the encrypted table. To confirm the encryption type, check the table details under the Overview tab.
-
Updating an encryption key (AWS CLI)
The following examples show how to update an encrypted table using the AWS CLI.
To update an encrypted table with the default AWS owned key
-
Update the encrypted
Music
table, as in the following example.aws dynamodb update-table \ --table-name Music \ --sse-specification Enabled=false
Note
This table is now encrypted using the default AWS owned key in the DynamoDB service account.
To update an encrypted table with the AWS managed key for DynamoDB
-
Update the encrypted
Music
table, as in the following example.aws dynamodb update-table \ --table-name Music \ --sse-specification Enabled=true
The
SSEDescription
status of the table description is set toENABLED
and theSSEType
isKMS
."SSEDescription": { "SSEType": "KMS", "Status": "ENABLED", "KMSMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-a123-ab1234a1b234", }
To update an encrypted table with a customer managed key for DynamoDB
-
Update the encrypted
Music
table, as in the following example.aws dynamodb update-table \ --table-name Music \ --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234
The
SSEDescription
status of the table description is set toENABLED
and theSSEType
isKMS
."SSEDescription": { "SSEType": "KMS", "Status": "ENABLED", "KMSMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-a123-ab1234a1b234", }