AWS DynamoDB Security

DynamoDB Security

  • DynamoDB provides a highly durable storage infrastructure for mission-critical and primary data storage.
  • Data is redundantly stored on multiple devices across multiple facilities in a DynamoDB Region.
  • AWS handles basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
  • DynamoDB protects user data stored at rest and in transit between on-premises clients and DynamoDB, and between DynamoDB and other AWS resources within the same AWS Region.
  • Fine-Grained Access Control (FGAC) gives a high degree of control over data in the table.
  • FGAC helps control who (caller) can access which items or attributes of the table and perform what actions (read/write capability).
  • FGAC is integrated with IAM, which manages the security credentials and the associated permissions.
  • VPC Endpoints allow private connectivity from within a VPC only to DynamoDB.

DynamoDB Resource-Based Policies – March 2024

  • DynamoDB now supports resource-based policies to simplify access control for DynamoDB resources.
  • Resource-based policies allow you to specify IAM principals that have access to a resource and what actions they can perform directly on the resource.
  • Simplifies cross-account access without requiring IAM role assumption.
  • Can be attached to:
    • DynamoDB tables
    • DynamoDB Streams
  • Resource-based policies work alongside IAM identity policies for comprehensive access control.
  • Enables fine-grained permissions at the resource level.
  • Useful for scenarios like:
    • Cross-account data sharing
    • Third-party integrations
    • Service-to-service access

DynamoDB Global Tables Multi-Account Replication – February 2026

  • DynamoDB global tables now support replication across multiple AWS accounts.
  • Enables improved resiliency and workload isolation at the account level.
  • Allows applying distinct security and governance controls per account.
  • Supports data perimeter guardrails using AWS Organizations.
  • DynamoDB automatically replicates tables across accounts and Regions.
  • Ideal for:
    • Multi-account strategies with AWS Organizations
    • Improved security isolation between workloads
    • Disaster recovery (DR) with account-level failover
    • Separating workloads by business unit
  • Available in all AWS Regions, billed per existing global tables pricing.

DynamoDB Encryption

  • DynamoDB Security supports both encryption at rest and in transit.

Encryption in Transit

  • DynamoDB Data in Transit encryption can be done by encrypting sensitive data on the client side or using encrypted connections (TLS).
  • DAX supports encryption in transit, ensuring that all requests and responses between the application and the cluster are encrypted by transport level security (TLS), and connections to the cluster can be authenticated by verification of a cluster x509 certificate.
  • All the data in DynamoDB is encrypted in transit.
  • Communications to and from DynamoDB use the HTTPS protocol, which protects network traffic using SSL/TLS encryption.
  • Data can also be protected using client-side encryption.

Encryption at Rest

  • Encryption at rest enables encryption for the data persisted (data at rest) in the DynamoDB tables.
  • Encryption at rest includes the base tables, primary key, local and global secondary indexes, streams, global tables, backups, and DynamoDB Accelerator (DAX) clusters.
  • Encryption at rest is enabled on all DynamoDB table data and cannot be disabled.
  • Encryption at rest automatically integrates with AWS KMS for managing the keys used for encrypting the tables.
  • Encryption at rest supports the following KMS keys:
    • AWS owned key – Default encryption type. The key is owned by DynamoDB (no additional charge).
    • AWS managed key – The key is stored in your account and is managed by AWS KMS (AWS KMS charges apply).
    • Customer managed key – The key is stored in your account and is created, owned, and managed by you. You have full control over the KMS key (AWS KMS charges apply).
  • Encryption at rest can be enabled only for a new table and encryption keys can be switched for an existing table.
  • DynamoDB streams can be used with encrypted tables and are always encrypted with a table-level encryption key.
  • On-Demand Backups of encrypted DynamoDB tables are encrypted using S3’s Server-Side Encryption.
  • Encryption at rest encrypts the data using 256-bit AES encryption.
  • DAX clusters do not support customer-managed KMS keys. DAX uses AWS owned keys only.

AWS Database Encryption SDK (formerly DynamoDB Encryption Client)

  • The AWS Database Encryption SDK (previously known as the DynamoDB Encryption Client, renamed June 2023) is a software library that helps protect table data before sending it to DynamoDB.
  • Encrypting sensitive data in transit and at rest helps ensure that the plaintext data isn’t available to any third party, including AWS.
  • Provides end-to-end data encryption with attribute-level control.
  • Encrypts attribute values that can be controlled but does not encrypt the entire table, attribute names, or primary key.
  • Supports searchable encryption, allowing encrypted attributes to be queried without decryption.
  • Compatible with the legacy DynamoDB Encryption Client — can decrypt items encrypted by the older library.

DynamoDB Deletion Protection

  • DynamoDB supports deletion protection to prevent tables from being accidentally deleted.
  • When enabled, any attempt to delete the table will fail until deletion protection is explicitly disabled.
  • Helps prevent disruption to business operations from accidental table deletion during regular management tasks.
  • AWS Security Hub control DynamoDB.6 checks that deletion protection is enabled on DynamoDB tables.
  • Recommended as a security best practice for all production tables.

VPC Endpoints

  • By default, communications to and from DynamoDB use the HTTPS protocol, which protects network traffic by using SSL/TLS encryption.
  • DynamoDB supports two types of VPC endpoints: Gateway Endpoints and Interface Endpoints (using AWS PrivateLink).

Gateway Endpoints

  • A VPC gateway endpoint for DynamoDB enables EC2 instances in the VPC to use their private IP addresses to access DynamoDB with no exposure to the public internet.
  • Traffic between the VPC and the AWS service does not leave the Amazon network.
  • EC2 instances do not require public IP addresses, an internet gateway, a NAT device, or a virtual private gateway in the VPC.
  • VPC Endpoint Policies to control access to DynamoDB.
  • No additional charge for using gateway endpoints.
  • Accessible only from within the VPC where they are created.

Interface Endpoints (AWS PrivateLink)

DynamoDB Interface Endpoints – March 2024

  • DynamoDB now supports AWS PrivateLink with interface VPC endpoints.
  • Interface endpoints are represented by elastic network interfaces (ENIs) with private IP addresses.
  • Accessible from:
    • Within the VPC
    • On-premises networks via AWS Direct Connect or Site-to-Site VPN
    • Other AWS Regions via VPC peering
  • Eliminates need for public IP addresses, proxy infrastructure, or firewall rules for on-premises access.
  • Supports private DNS names for simplified connectivity.
  • Standard AWS PrivateLink charges apply.

DynamoDB Streams Interface Endpoints – March 2025

  • DynamoDB Streams APIs now support AWS PrivateLink.
  • Enables private access to DynamoDB Streams APIs without traversing the public internet.
  • Supports GetRecords, GetShardIterator, and DescribeStream operations.
  • Only interface endpoints are supported for DynamoDB Streams (gateway endpoints not supported).

DynamoDB Streams FIPS Endpoints via PrivateLink – May 2026

  • DynamoDB Streams now supports AWS PrivateLink for FIPS endpoints in AWS GovCloud (US) Regions.
  • Allows government agencies to establish private connectivity to DynamoDB Streams FIPS endpoints without exposing traffic to the public internet.
  • Helps meet strict federal compliance and regulatory requirements.
  • Available in AWS GovCloud (US-East), GovCloud (US-West), US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon), Canada (Central), and Canada West (Calgary).
  • Enables compliant change data capture (CDC) solutions and event-driven architectures that adhere to federal security standards.

DAX Interface Endpoints – October 2025

  • DynamoDB Accelerator (DAX) now supports AWS PrivateLink.
  • Enables secure access to DAX management APIs over private IP addresses.
  • Supported APIs: CreateCluster, DescribeClusters, DeleteCluster.
  • Accessible using private DNS names.

DynamoDB VPC Endpoint

DynamoDB Security Best Practices

  • DynamoDB encrypts at rest all user data stored in tables, indexes, streams, and backups using encryption keys stored in KMS.
  • DynamoDB can be configured to use an AWS owned key (default encryption type), an AWS managed key, or a customer managed key to encrypt user data.
  • Use customer-managed KMS keys for enhanced control over encryption keys with rotation policies.
  • Use IAM Roles to authenticate access to DynamoDB.
  • Implement resource-based policies for simplified cross-account access control.
  • Use Fine-Grained Access Control (FGAC) to control access at item and attribute level.
  • Use VPC gateway endpoints for cost-effective private access from within VPC.
  • Use interface endpoints (AWS PrivateLink) for private access from on-premises or cross-region.
  • AWS Database Encryption SDK is a software library that helps in client-side encryption and protects the table data before you send it to DynamoDB.
  • Enable deletion protection on all production tables to prevent accidental deletion (Security Hub DynamoDB.6).
  • Enable AWS CloudTrail for auditing access to encryption keys and DynamoDB operations.
  • Apply principle of least privilege when defining IAM policies.
  • Regularly review and rotate access credentials and encryption keys.
  • Use multi-account global tables for enhanced security isolation and data perimeter enforcement.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. What are the services supported by VPC endpoints, using the Gateway endpoint type?
    1. Amazon EFS
    2. Amazon DynamoDB
    3. Amazon Glacier
    4. Amazon SQS
  2. A company needs to provide cross-account access to a DynamoDB table without requiring IAM role assumption. Which feature should they use?
    1. IAM identity policies
    2. VPC endpoint policies
    3. Resource-based policies
    4. Fine-grained access control
  3. A company needs to access DynamoDB from their on-premises data center over AWS Direct Connect without traversing the public internet. Which solution should they use?
    1. VPC gateway endpoint
    2. VPC interface endpoint with AWS PrivateLink
    3. Internet gateway
    4. NAT gateway
  4. Which DynamoDB Streams access method supports AWS PrivateLink?
    1. Gateway endpoints
    2. Interface endpoints
    3. Both gateway and interface endpoints
    4. Neither gateway nor interface endpoints
  5. A company wants to minimize costs for private VPC access to DynamoDB from EC2 instances within the same VPC. Which endpoint type should they use?
    1. Interface endpoint
    2. Gateway endpoint
    3. Both are equally cost-effective
    4. Neither supports this use case
  6. Which of the following statements about DynamoDB security are correct? (Select THREE)
    1. Resource-based policies simplify cross-account access
    2. Gateway endpoints are accessible from on-premises networks
    3. DAX supports AWS PrivateLink for management APIs
    4. Encryption at rest can be disabled for tables
    5. DynamoDB Streams only supports interface endpoints, not gateway endpoints
  7. What encryption key type provides the most control over key management for DynamoDB?
    1. AWS owned key
    2. AWS managed key
    3. Customer managed key
    4. All provide equal control
  8. A government agency needs to privately access DynamoDB Streams using FIPS-compliant endpoints in GovCloud. Which connectivity option should they use?
    1. VPC gateway endpoint
    2. VPC interface endpoint with PrivateLink FIPS endpoints
    3. Public internet with TLS
    4. AWS Direct Connect public VIF
  9. An organization wants to replicate DynamoDB tables across multiple AWS accounts for improved security isolation and disaster recovery. Which feature supports this?
    1. DynamoDB Streams cross-account replication
    2. Resource-based policies with cross-account access
    3. DynamoDB global tables multi-account replication
    4. AWS Backup cross-account copy
  10. Which Security Hub control checks that DynamoDB tables have deletion protection enabled?
    1. DynamoDB.2
    2. DynamoDB.4
    3. DynamoDB.6
    4. DynamoDB.7

References

2 thoughts on “AWS DynamoDB Security

  1. Pingback: AWS DynamoDB

Comments are closed.