When you create your DynamoDB database, you have three options to encrypt your database with. Let's take a look at these options in the console:
- From the AWS Management Console, select DynamoDB from the Database category:
- Select Create table:
- You will then be presented with the following screen:
- Uncheck the Use default settings checkbox under Table settings.
- Scroll down to the Encryption At Rest section:
Here, you can see that there are three options:
-
- DEFAULT: This is a key that is owned by Amazon DynamoDB and provides the default encryption for your tables. It is free of charge and is stored outside of your AWS account.
- KMS - Customer managed CMK: Select this option if you want to use your own customer-managed KMS key, which is stored in your own AWS account. Using your own CMK incurs a cost.
- KMS - AWS managed CMK: This final option allows you to use an AWS-managed key. Again, this also incurs a cost, and it is also stored in your...