Amazon DynamoDB Encryption Client
Developer Guide

Client-Side or Server-Side Encryption?

The DynamoDB Encryption Client supports client-side encryption, where you encrypt your table data before you send it to DynamoDB. However, DynamoDB supports an encryption at rest feature that transparently encrypts your table when it is persisted to disk and decrypts it when you access the table.

The tools that you choose depend on the sensitivity of your data and the security requirements of your application.

You can also use the DynamoDB Encryption Client and encryption at rest together. When you send encrypted and signed items to DynamoDB, DynamoDB doesn't recognize the items as being protected. It just detects typical table items with binary attribute values. Those table items can be part of an encrypted or unencrypted table.

Encryption at Rest

DynamoDB offers encryption at rest, a server-side encryption option in which DynamoDB transparently encrypts your tables for you when the table is persisted to disk, and decrypts them when you access the table data.

With server-side encryption, your data is encrypted in transit over an HTTPS connection, decrypted at the DynamoDB endpoint, and then re-encrypted before being stored in DynamoDB.

  • It's easy to use. Just select the encryption option when you create a table. DynamoDB transparently encrypts and decrypts the table for you.

  • DynamoDB creates and manages the cryptographic keys. The unique key for each table is protected by an AWS Key Management Service (AWS KMS) customer master key that never leaves AWS KMS unencrypted.

  • All table data is encrypted on disk. When an encrypted table is saved to disk, DynamoDB encrypts all table data, including the primary key and local and global secondary indexes. If your table has a sort key, some of the sort keys that mark range boundaries are stored in plaintext in the table metadata.

  • Your items are decrypted when you access them. When you access the table, DynamoDB decrypts the part of the table that includes your target item, and returns the plaintext item to you.


DynamoDB Encryption Client

Client-side encryption provides end-to-end protection for your data, in transit and at rest, from its source to storage in DynamoDB. Your plaintext data is never exposed to any third party, including AWS. However, you need to add the encryption features to your DynamoDB applications.

  • Your data is protected in transit and at rest. It is never exposed to any third party, including AWS.

  • You can sign your table Items. You can direct the DynamoDB Encryption Client to calculate a signature over all or part of a table item, including the primary key attributes and the table name. This signatures allows you to detect unauthorized changes to the item as a whole, including adding or deleting attributes, or swapping attribute values.

  • You choose how your cryptographic keys are generated and protected. You can create and manage them yourself, or use a cryptographic service such as AWS Key Management Service or AWS CloudHSM to generate and protect your keys.

  • You determine how your data is protected by selecting a cryptographic materials provider (CMP), or writing one of your own. The CMP determines the encryption strategy used, including when unique keys are generated, and the encryption and signing algorithms that are used.

  • The DynamoDB Encryption Client doesn't encrypt the entire table. You can encrypt selected items in a table, or selected attribute values in some or all items. However, the DynamoDB Encryption Client does not encrypt an entire item. It does not encrypt attribute names, or the names or values of the primary key (partition key and sort key) attributes. For details about what is encrypted (and what is not), see Which Fields Are Encrypted and Signed?.


AWS Encryption SDK

If you are encrypting data that you store in DynamoDB, we recommend the DynamoDB Encryption Client.

The AWS Encryption SDK is a client-side encryption library that helps you to encrypt and decrypt generic data. Although it can protect any type of data, it isn't designed to work with structured data, like database records. Unlike the DynamoDB Encryption Client, the AWS Encryption SDK cannot provide item-level integrity checking and it has no logic to recognize attributes or prevent encryption of primary keys.

If you use the AWS Encryption SDK to encrypt any element of your table, remember that it isn't compatible with the DynamoDB Encryption Client. You cannot encrypt with one library and decrypt with the other.