Ensure that your Amazon DynamoDB tables are using AWS-managed Customer Master Keys (CMKs) instead of AWS-owned CMKs for Server-Side Encryption (SSE), in order to meet strict encryption compliance and regulatory requirements. DynamoDB has added support to enable you to switch from AWS-owned CMKs to customer-managed CMKs managed by Amazon Key Management Service (KMS), without having to implement any code or application changes to encrypt your data.
Organizational policies, industry or government regulations, and internal compliance requirements often require the use of Server-Side Encryption (SSE) using AWS-managed KMS Customer Master Keys (CMKs) to enhance the data security of your Amazon DynamoDB-based applications. Unlike the AWS-owned key, with AWS-managed CMK you can view the CMK and its key policy and audit the encryption and decryption of your DynamoDB data by examining the DynamoDB API calls to Amazon KMS using AWS CloudTrail.
To determine the Server-Side Encryption (SSE) type configured for your AWS DynamoDB tables, perform the following actions:
To reconfigure your existing Amazon DynamoDB tables to use AWS-managed Customer Master Keys (CMKs) for Server-Side Encryption (i.e. encryption at rest), perform the following actions: