DynamoDB tables should be encrypted with AWS or customer managed KMS CMKs


Although DynamoDB tables are encrypted at rest by default with AWS owned CMKs, using AWS managed CMKs or customer managed CMKs provides additional functionality via AWS KMS, such as viewing key policies, auditing usage, and rotating cryptographic material.

Remediation Steps

AWS Console

  • Navigate to DynamoDB.

  • In the navigation pane, choose Tables.

  • Select your table.

  • On the Overview tab, locate Encryption Type under Table details.

  • Click Manage Encryption.

  • Select KMS.

  • Click Save.


  • KMS encryption can be enabled at table creation and on an existing table.

  • Create a KMS encrypted DynamoDB table:

    • aws dynamodb create-table --table-name <table-name> --attribute-definitions <attribute-names> --key-schema <attribute-names> --provisioned-throughput <throughput-parameters> --sse-specification Enabled=true,SSEType=KMS

  • Update an existing table with KMS encryption:

    • aws dynamodb update-table --table-name <table-name> --sse-specification Enabled=true,SSEType=KMS


  • Ensure that the aws_dynamodb_table server_side_encryption block has the enabled field set to “true”.

Example Configuration

resource "aws_dynamodb_table" "example" {
  server_side_encryption {
    enabled = true
  # other required fields here