DynamoDB is currently one of the most productive databases for organizations and enterprises. It provides highly durable and scalable storage infrastructure for primary and mission-critical data. With DynamoDB’s encryption feature, teams can ensure that they adhere to the usually strict data security and compliance standards.

This tutorial explains the various DynamoDB encryption mechanisms that you can utilize in the Amazon Web Service. Besides the encryption options that we will discuss, we will also provide you with a step-by-step guide on setting up the encryption in DynamoDB.

How Does DynamoDB Encryption Works

The powerful DynamoDB encryption feature adds a layer of security to ensure that your data remains inaccessible to third parties or unauthorized personnel. Understanding how DynamoDB encryption works begins with knowing the type of data or content that you can encrypt.

For the record, DynamoDB encryption supports the data at rest and the data in transit transcription options. This implies that you can use it for client-side encryption and for encrypting the data at rest. In both cases, you must encrypt and sign the data before storing it in the database.

This feature gives your data with an end-to-end protection against unauthorized access or changes by a man-in-the-middle. Any encrypted table in DynamoDB secures all the data including its primary key, local secondary indexes, global secondary indexes, streams, backups, global tables, etc.

How to Enable the DynamoDB Data at Rest Encryption

It is important to note that you must integrate a Key Management Service (AWS KMS) to manage your encryptions. In DynamoDB, you can use three types of keys to encrypt your data at rest:

• Amazon-Managed Keys: Only the AWS manages these keys and changes them automatically, regularly. You can use them in most encryption scenarios because they require minimal setup and maintenance.
• Customer-Managed Keys: You have the responsibility of managing these keys. However, Amazon Key Management Service (KMS) stores the keys. You are also responsible for creating, rotating, and deleting them. Customer-managed keys are suitable for scenarios where you need more control over the key management process, or you need to use specific key policies or rotation schedules.
• AWS-Owned Keys: These keys are owned by AWS and are used to encrypt the data at rest in certain AWS services such as EBS volumes and RDS instances. You cannot use the AWS-owned keys to encrypt the DynamoDB data at rest.

To use any of these key types to encrypt your DynamoDB data at rest, you need to specify the key type and the key identifier when you create or update your DynamoDB table. You can use the DynamoDB Management Console, the AWS CLI, or the DynamoDB API to specify the key type and key identifier.

You can set up the DynamoDB data at rest encryption using the AWS CLI using the following steps:

Step 1 – Create an Amazon Key Management Service (KMS) key or use an existing key to encrypt the data in your DynamoDB table. The KMS key is used to encrypt and decrypt the data at rest in your DynamoDB table.

Step 2 – Create a DynamoDB table and specify the encryption type and the KMS key for the data at rest encryption.

Step 3 – Load the data into the DynamoDB table. The data is automatically encrypted when it is written to the table.

Here’s an example on how to create a DynamoDB table with the data at rest encryption using the AWS CLI:

In this example, the MyTableName table is created with the enabled data at rest encryption using the KMS key which is specified by the KMS_KEY_ARN parameter. The data in the table is encrypted using the KMS key when it is written to the table and decrypted when it is read.

You can also enable the data at rest encryption for an existing DynamoDB table using the update-table command:

The previous command enables the data at rest encryption for the MyTableName table using the KMS key which is specified by the KMS_KEY_ARN parameter.

You can also enable the encryption for a new or existing table by specifying the BillingMode as PAY_PER_REQUEST and setting the SSESpecification parameter to ENABLED when you create or update the table. Once the encryption is enabled, the system encrypts all the data in your table. Besides, it also encrypts all data transfers between the table and the client.

Notably, the data at rest encryption only applies to the new data which is written to the table after it is enabled. The system does not encrypt an existing data in the table unless you perform a table scan and rewrite the data.

Conclusion

It’s important to note that while the data at rest is encrypted by default, the data in transit between the client and DynamoDB is not encrypted unless you specifically enable the SSL/TLS. To enable the SSL/TLS, you can use the HTTPS protocol when querying the DynamoDB. You can also use the AWS Management Console, the AWS CLI, or any of the AWS SDKs to enable the encryption for your DynamoDB tables.