DynamoDB static encryption

DynamoDB static encryption

All user data stored in Amazon DynamoDB is being completely static encryption. DynamoDB static encryption using  AWS Key Management Service (AWS KMS)  encryption key to encrypt all stored in your static data, providing enhanced security. This feature can help reduce the operational burden and complexity involved in the protection of sensitive data. Static encryption, you can build security-sensitive applications to meet stringent encryption compliance and regulatory requirements.

DynamoDB static encryption by encryption to protect data table to provide additional protection of data, including its primary key, local and global secondary indexes, the flow, the global table, backup and DynamoDB Accelerator (DAX) cluster (as long as the data is stored in a persistent the media). Organizational policies, industry or government regulations and compliance requirements often require the use of a static encryption to enhance data security applications.

AWS KMS static encryption and integrated to manage the encryption key used to encrypt your table. For more information, please refer to the  AWS Key Management Service concept .

When you create a new table, you can select the following customer master key (CMK), one to encrypt your table:

• AWS has CMK - the default encryption type. This key has owned DynamoDB (no additional charge).

• AWS hosted CMK - This key is stored in your account by AWS KMS Management (AWS KMS fee charged).

When you access the encrypted table, DynamoDB will transparently decrypt the data table. You can switch between AWS have at any given time and AWS hosted CMK CMK. You do not have to change any code or application to use or manage an encrypted table. DynamoDB you want to continue to deliver the same single-digit millisecond latency, and seamless all DynamoDB queries are performed on encrypted data.

Static encryption: How it works

Amazon DynamoDB static encryption using 256-bit Advanced Encryption Standard (AES-256) to encrypt your data, on the basis of storage by preventing unauthorized access to help protect your data.

Static encryption and AWS Key Management Service (AWS KMS) integration to manage encryption keys used to encrypt your table.

When creating a new table in the existing table or switch the encryption key, the customer may select the master key (CMK) one of:

• AWS has CMK - the default encryption type. This key has owned DynamoDB (no additional charge).

• AWS hosted CMK - This key is stored in your account by AWS KMS Management (AWS KMS fee charged).

AWS hosted CMK provides the following additional features:

• You can view the CMK and key strategies. (You can not change the key strategies.)

• You can use the AWS CloudTrail examining the call for AWS KMS's DynamoDB API, in order to review the encryption and decryption DynamoDB tables.

AWS hosted CMK

Static encryption automatic integration with AWS KMS, applicable to management for encrypted tables in DynamoDB ( aws/dynamodbAWS) hosted CMK. If you create encrypted DynamoDB table, AWS hosted CMK does not exist, AWS KMS automatically creates a new key for you. This key is used to encrypt the table created in the future. AWS KMS will be secure, highly available hardware and software combine to provide a scalable key management for cloud systems.

note

Unless there is access to the AWS hosted CMK AWS KMS stored in your account, or the Amazon DynamoDB table can not read your data. DynamoDB to encrypt data using encryption and key envelopes hierarchy. Your AWS KMS key encryption key used to encrypt the root of the key hierarchy. For more information, please refer to the  AWS Key Management Service Developer Guide  in the envelope encryption .

DynamoDB does not call AWS KMS for each DynamoDB operation. For each client has an active traffic connection, the key will refresh every five minutes.