Amazon DynamoDB is a fully managed NoSQL database service scalable type. DynamoDB with AWS Key Management Service (AWS KMS) to support the integration of static encryption server-side encryption.
Using a static encryption , DynamoDB transparent manner for all customers may DynamoDB data table is encrypted, including its primary key and the local and global secondary indexes , whenever the table is saved to disk. (If the table has sort keys, the marking of some sort of range boundaries clear text key table stored in the metadata.) When you are accessing the table, DynamoDB will transparently decrypt the data table. You do not need to change the application to use or manage the encryption table.
In addition, in the DynamoDB flow , global table , and a backup when saving to persistent media, static encryption protects these objects. Statements on this topic tables also apply to these objects.
All DynamoDB tables will be encrypted. No Enable or disable encryption options for new or existing table table. By default, the DynamoDB service accounts AWS customers have the master key to encrypt all tables under (CMK). However, you can select the account applies to DynamoDB of AWS hosted CMK for part or all of the encrypted option under the table. Static encryption does not support the client hosting CMK .
And using the data key CMK
DynamoDB using a static encryption AWS KMS client master key (CMK) and a data key hierarchy to protect your table data. When DynamoDB flow, the global table and writing to persistent backup media, DynamoDB using the same key hierarchy to protect these objects.
- Customer master key (CMK)
-
Static encryption protection DynamoDB table at AWS KMS client master key (CMK). By default, it uses the AWS hosted CMK , but DynamoDB support for AWS account applies to DynamoDB (
aws/dynamodb) of AWS hosted CMK for part or all of the encrypted option under the table. You can choose to CMK table when you create or update a table, and can make different choices for each table. Static encryption does not support the use of client-hosted CMK .If you need any of these features, please use the AWS hosted CMK:
-
You can view the CMK and key strategies. (You can not change the key strategies.)
-
You can use the AWS CloudTrail log check for DynamoDB API call AWS KMS to audit encryption and decryption DynamoDB table.
However, AWS has CMK is free. For each API call, AWS hosted CMK will incur costs .
You can change the table in the following manner at any time CMK: in DynamoDB console or use UpdateTable operation. When you change CMK, DynamoDB tables will generate a new key. Then, it uses the new table key to re-encrypt the data encryption key.
Whichever you choose, CMK, CMK create tables using key process is the same.
-
- Table Key
-
Use of CMK DynamoDB table to generate unique table and encrypted data key (also called table key ). The table key will be retained for the life of the encryption table.
As the key encryption key table key. DynamoDB uses this table to protect the key used to encrypt the data encryption key table data. DynamoDB generates a unique encryption key for each data structure underlying the table, but a plurality of the same table entries may be protected by data encryption key.
