Amazon DynamoDB encryption at rest helps you secure your application data in Amazon DynamoDB tables further using AWS-managed encryption keys stored in AWS Key Management Service (KMS). Encryption at rest is fully transparent to the user with all DynamoDB queries working seamlessly on encrypted data. With this new capability, it has never been easier to use DynamoDB for security-sensitive applications with strict encryption compliance and regulatory requirements.
Encryption at rest expands on DynamoDB’s existing security controls i.e., data protection and security using TLS endpoints for encryption-in-transit, a client-side library for end-to-end encryption, and fine-grained access control using AWS Identity and Access Management (IAM). Last year, AWS added VPC Endpoints for DynamoDB to ensure your VPC and DynamoDB connection remains closed and isolated from the Internet, and to enable restricting access to DynamoDB only from your authorized applications.
DynamoDB encryption at rest is generally available in EU (Ireland), US East (N. Virginia), US East (Ohio), and US West (Oregon) at no extra cost (KMS encryption key usage charges apply). With today’s release, encryption at rest is available for new DynamoDB tables. Furthermore, backups of encrypted DynamoDB tables are also fully encrypted.