What is the Amazon DynamoDB Encryption Client? - Amazon DynamoDB Encryption Client

What is the Amazon DynamoDB Encryption Client?

The Amazon DynamoDB Encryption Client is a software library that helps you to protect your table data before you send it to Amazon DynamoDB. Encrypting your sensitive data in transit and at rest helps ensure that your plaintext data isn’t available to any third party, including AWS. The DynamoDB Encryption Client is provided free of charge under the Apache 2.0 license.

This developer guide provides a conceptual overview of the DynamoDB Encryption Client, including an introduction to its architecture, details about how it protects DynamoDB table data and how it differs from DynamoDB server-side encryption, guidance on selecting critical components for your application, and examples in each programming language to help you get started.

The DynamoDB Encryption Client has the following benefits:

Designed especially for DynamoDB applications

You don’t need to be a cryptography expert to use the DynamoDB Encryption Client. The implementations include helper methods that are designed to work with your existing DynamoDB applications.

After you create and configure the required components, the DynamoDB Encryption Client transparently encrypts and signs your table items when you add them to a table, and verifies and decrypts them when you retrieve them.

Includes secure encryption and signing

The DynamoDB Encryption Client includes secure implementations that encrypt the attribute values in each table item using a unique encryption key, and then sign the item to protect it against unauthorized changes, such as adding or deleting attributes, or swapping encrypted values.

Uses cryptographic materials from any source

You can use the DynamoDB Encryption Client with encryption keys from any source, including your custom implementation or a cryptography service, such as AWS Key Management Service (AWS KMS) or AWS CloudHSM. The DynamoDB Encryption Client doesn't require an AWS account or any AWS service.

Programming language implementations are interoperable

The DynamoDB Encryption Client libraries are developed in open source projects on GitHub. They are currently available in Java and Python. All supported programming language implementations of the DynamoDB Encryption Client are interoperable. For example, you can encrypt data with the Java client and decrypt it with the Python client.

However, the DynamoDB Encryption Client is not compatible with the AWS Encryption SDK or the Amazon S3 Encryption Client. You cannot encrypt with one client-side library and decrypt with another.

Sending feedback

We welcome your feedback! If you have a question or comment, or an issue to report, please use the following resources.