Is DynamoDB encrypted?

Yes. All DynamoDB data is encrypted at rest by default, using encryption keys stored in AWS Key Management Service (KMS), and encryption cannot be turned off. You choose the key type — an AWS owned key (the default, free), an AWS managed key, or a customer managed key — and data in transit is protected with HTTPS/TLS.

What encryption at rest covers

Encryption applies to everything an encrypted table stores on durable media: the table itself including its primary key, local and global secondary indexes, streams, global tables, and backups. Note that if your table has a sort key, some of the sort keys that mark range boundaries are stored in plaintext in the table metadata.

The three key options

  • AWS owned key — the default. Owned and managed by DynamoDB, at no additional charge.
  • AWS managed key — stored in your account and managed by AWS KMS (KMS charges apply).
  • Customer managed key — created, owned, and rotated by you, with full control over access (KMS charges apply).

You can switch between key types at any time from the console, CLI, or API.

It's transparent to your application

DynamoDB decrypts data transparently when you read it. You don't change any code to work with an encrypted table, queries work unchanged, and latency stays in the same single-digit-millisecond range. For end-to-end protection of individual attribute values before they leave your application, AWS also offers client-side encryption via the AWS Database Encryption SDK.

Go deeper

Backups are encrypted too — see how they work in the backups & PITR guide, estimate table costs (KMS is billed separately) with the pricing calculator, and download DynoTable to browse your encrypted tables — decryption is handled by AWS before the data reaches any client.

References

Last verified 2026-07-13 against the official AWS documentation linked above.

Work with DynamoDB without the Console

DynoTable is a fast desktop client for DynamoDB — browse tables, run SQL-style queries, and edit items locally.