AWS DynamoDB Table is not encrypted with the Customer Master Key (CMK)


Amazon DynamoDB supports encryption at rest, a server-side encryption option that encrypts your data after it's written to disk. By default, Amazon DynamoDB uses AWS owned keys to encrypt your table data. However, for tighter security and control over encryption, you can use AWS Key Management Service (KMS) with a Customer Master Key (CMK). This ensures that only entities with permissions to use the CMK can read the DynamoDB data.


1. Enable Encryption using a Customer Master Key (CMK):

AWS Management Console:
  • Navigate to the DynamoDB service.
  • Choose the table you want to modify.
  • In the Overview tab, under Table details, you should see Encryption.
  • Click on Switch encryption key.
  • Choose Use a KMS master key from your account and then select the desired CMK.
  • Click on Save.
aws dynamodb update-table \
  --table-name <YOUR-TABLE-NAME> \
  --sse-specification Enabled=true,SSEType="KMS",KMSMasterKeyId="<YOUR-KMS-KEY-ID>"

Replace <YOUR-TABLE-NAME> with your DynamoDB table's name and <YOUR-KMS-KEY-ID> with your CMK ID.

resource "aws_dynamodb_table" "example" {
  name           = "<YOUR-TABLE-NAME>"
  hash_key       = "exampleHashKey"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20

  attribute {
    name = "exampleHashKey"
    type = "N"

  # ... other configurations ...

  # Enable server-side encryption with CMK
  server_side_encryption {
    enabled     = true
    kms_key_arn = aws_kms_key.example.arn

resource "aws_kms_key" "example" {
  description = "KMS key for DynamoDB"
  // other configurations...

Replace <YOUR-TABLE-NAME> with the name of your DynamoDB table.


To ensure that your data is encrypted using a key that you manage, always use a CMK for encryption in services that support it. Regularly rotate and audit CMK keys, and ensure that only necessary entities have permissions to use them.