DynamoDB has encrypted all existing tables that were previously unencrypted by using a default AWS owned customer master key (CMK). When creating a new table, you can now use either the default AWS owned CMK or an AWS managed CMK.

Encryption at rest greatly reduces the operational burden and complexity involved in protecting sensitive data. DynamoDB encrypts data using industry-standard AES-256 algorithms, which ensure that only authorized roles and services can access sensitive data with access to the encryption keys audited by AWS CloudTrail. With encryption at rest, you can build security-sensitive applications that require strict encryption compliance and regulatory requirements.

You do not have to make any code or application modifications to encrypt your data. Encryption at rest using the AWS owned CMK is provided at no additional charge. DynamoDB handles the encryption and decryption of your data transparently and continues to deliver the same single-digit millisecond latency that you have come to expect.

These new encryption features are available in all standard AWS Regions. To learn more, see Amazon DynamoDB Encryption at Rest.

