DynamoDB Encryption at Rest

  • Amazon DynamoDB encryption at rest encrypts your data using 256-bit Advanced Encryption Standard (AES-256), which helps secure your data from unauthorized access to the underlying storage.
  • Can be done only at table creation and now its default 
  • Default encrypts tables, local secondary indexes, and global secondary indexes
  • Your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS).
  • Encryption at rest integrates with AWS KMS for managing the encryption key that is used to encrypt your tables.
  • If use default setting is selected, tables are encrypted at rest with the AWS owned customer master key


  • Data-in-transit: DynamoDB use the HTTPS protocol, which protects network traffic by using SSL/TLS encryption
  • Data-in-use: Protect your data before sending it to DynamoDB using client-side encryption
  • You can use streams with encrypted tables.
  • You can use global tables with encrypted tables.
  • You can use backup and restore features with encrypted tables.