Client-side and server-side encryption - Amazon DynamoDB Encryption Client

Client-side and server-side encryption

The DynamoDB Encryption Client supports client-side encryption, where you encrypt your table data before you send it to DynamoDB. However, DynamoDB provides a server-side encryption at rest feature that transparently encrypts your table when it is persisted to disk and decrypts it when you access the table.

The tools that you choose depend on the sensitivity of your data and the security requirements of your application. You can use both the DynamoDB Encryption Client and encryption at rest. When you send encrypted and signed items to DynamoDB, DynamoDB doesn't recognize the items as being protected. It just detects typical table items with binary attribute values.

Server-side encryption at rest

DynamoDB supports encryption at rest, a server-side encryption feature in which DynamoDB transparently encrypts your tables for you when the table is persisted to disk, and decrypts them when you access the table data.

When you use an AWS SDK to interact with DynamoDB, by default, your data is encrypted in transit over an HTTPS connection, decrypted at the DynamoDB endpoint, and then re-encrypted before being stored in DynamoDB.

  • Encryption by default. DynamoDB transparently encrypts and decrypts all tables when they are written to disk. There is no option to enable or disable encryption at rest.

  • DynamoDB creates and manages the cryptographic keys. The unique key for each table is protected by an AWS KMS key that never leaves AWS Key Management Service (AWS KMS) unencrypted. By default, DynamoDB uses an AWS owned key in the DynamoDB service account, but you can choose an AWS managed key or customer managed key in your account to protect some or all of your tables.

  • All table data is encrypted on disk. When an encrypted table is saved to disk, DynamoDB encrypts all table data, including the primary key and local and global secondary indexes. If your table has a sort key, some of the sort keys that mark range boundaries are stored in plaintext in the table metadata.

  • Objects related to tables are encrypted, too. Encryption at rest protects DynamoDB streams, global tables, and backups whenever they are written to durable media.

  • Your items are decrypted when you access them. When you access the table, DynamoDB decrypts the part of the table that includes your target item, and returns the plaintext item to you.


DynamoDB Encryption Client

Client-side encryption provides end-to-end protection for your data, in transit and at rest, from its source to storage in DynamoDB. Your plaintext data is never exposed to any third party, including AWS. However, the DynamoDB Encryption Client is designed to be implemented in new, unpopulated databases. You need to add the encryption features to your DynamoDB applications before you send any data to DynamoDB.

  • Your data is protected in transit and at rest. It is never exposed to any third party, including AWS.

  • You can sign your table Items. You can direct the DynamoDB Encryption Client to calculate a signature over all or part of a table item, including the primary key attributes and the table name. This signature allows you to detect unauthorized changes to the item as a whole, including adding or deleting attributes, or swapping attribute values.

  • You choose how your cryptographic keys are generated and protected. You can create and manage your keys, or use a cryptographic service, such as AWS Key Management Service or AWS CloudHSM, to generate and protect your keys.

  • You determine how your data is protected by selecting a cryptographic materials provider (CMP), or writing one of your own. The CMP determines the encryption strategy used, including when unique keys are generated, and the encryption and signing algorithms that are used.

  • The DynamoDB Encryption Client doesn't encrypt the entire table. You can encrypt selected items in a table, or selected attribute values in some or all items. However, the DynamoDB Encryption Client does not encrypt an entire item. It does not encrypt attribute names, or the names or values of the primary key (partition key and sort key) attributes. For details about what is encrypted (and what is not), see Which fields are encrypted and signed?.


AWS Encryption SDK

If you are encrypting data that you store in DynamoDB, we recommend the DynamoDB Encryption Client.

The AWS Encryption SDK is a client-side encryption library that helps you to encrypt and decrypt generic data. Although it can protect any type of data, it isn't designed to work with structured data, like database records. Unlike the DynamoDB Encryption Client, the AWS Encryption SDK cannot provide item-level integrity checking and it has no logic to recognize attributes or prevent encryption of primary keys.

If you use the AWS Encryption SDK to encrypt any element of your table, remember that it isn't compatible with the DynamoDB Encryption Client. You cannot encrypt with one library and decrypt with the other.