Encrypt your Amazon DynamoDB global tables by using your own encryption keys

Posted on: Nov 6, 2020

With Amazon DynamoDB global tables, you can give massively scaled, global applications local access to DynamoDB tables for fast read and write performance. All of your data in DynamoDB is encrypted by default using the AWS Key Management Service (KMS). Starting today, you can now choose a customer managed key for your global tables, giving you full control over the key used for encryption of your DynamoDB data replicated using global tables. Customer managed keys also come with full AWS CloudTrail monitoring so you can view every time the key was used or accessed. 

When you choose to use a customer managed customer master key (CMK) in KMS to protect your data in DynamoDB global tables, each regional replica of your global table requires an in-region customer managed key. There is no additional charge for data encrypted at rest by using an AWS owned CMK. AWS Key Management Service and AWS CloudTrail charges apply for using customer managed CMKs and AWS managed CMKs.

You can use customer managed CMKs in all AWS Regions in which global tables are available: US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Stockholm), South America (Sao Paulo), AWS GovCloud (US-East), and AWS GovCloud (US-West). For more information about encryption at rest and how to manage encrypted tables, see Managing Encrypted Tables in DynamoDB in the DynamoDB developer guide.