Amazon DynamoDB adds support for switching encryption keys to encrypt your data at rest
Amazon DynamoDB is a fully managed, multi-region, multi-master database that by default encrypts all your data at rest to help enhance the security of your DynamoDB data. You can use the default encryption, the AWS owned customer master key (CMK), or the AWS managed CMK to encrypt all your data. DynamoDB now has added support to enable you to switch encryption keys, between the AWS owned CMK and AWS managed CMK, without having to make any code or application modifications to encrypt your data.
Encryption at rest reduces the operational burden and complexity involved in building security-sensitive applications that require strict encryption compliance and regulatory requirements. DynamoDB handles the encryption and decryption of your data transparently and continues to deliver the same single-digit millisecond latency that you have come to expect. DynamoDB encrypts data using 256-bit Advanced Encryption Standard (AES-256), which helps secure your data from unauthorized access to the underlying storage. Encryption at rest using the AWS owned CMK is provided at no additional charge.
You can switch the encryption keys with a single click in the AWS Management Console, a simple API call, or with the AWS Command Line Interface (CLI). This feature is available in all commerical regions. To learn more, see Amazon DynamoDB Encryption at Rest.