[AWS Certificate]-DynamoDB Encryption

DynamoDB Encryption

• Server-side Encryption at Rest
  • Enabled by default
  • Uses KMS
  • 256-bit AES Encryption
  • Can use AWS owned CMK, AWS managed CMK, or customer managed CMK
  • Encrypts primary key, secondary indexes, streams, global tables, backups and DAX clusters
• Encryption in transit
  • Use VPC endpoints for applications running in a VPC
  • Use TLS endpoints for encrypting data transit

 

---

 

DynamoDB Encryption Client

 

• For client-side encryption
• Added protection with encryption in-transit
• Results in end-to-end encryption
• Doesn't encrypt the entire table
• Encrypts the attribute values, but not the attribute names
• Doesn't encrypt values of the primary key attributes
• You can selectively encrypt other attribute values
• You can encrypt selected items in a table, or selected attribute values in some or all items