DynamoDB - KMS - What is the impact on running services back to Default from AWS Managed CMK
Customer wants to know the following:
For some tables in DynamoDB encryption is changed from "Default" to "KMS - AWS Managed CMK". There is an extra cost associated for using KMS which they want to avoid.
-
Are all the charges from KMS coming from these DynamoDB tables? How to identify that?
-
What is the impact of changing encryption for these tables back to "Default" from console? How to change this without service interruption?
- Newest
- Most votes
- Most comments
- Are all the charges from KMS coming from these DynamoDB tables? How to identify that?
All KMS activity is recorded in CloudTrail logs. See our docs on how DDB uses KMS for more information on how to identify DDB intertion with KMS.
https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html#dynamodb-cmk-trail
- What is the impact of changing encryption for these tables back to "Default" from console? How to change this without service interruption?
The default encryption type uses an AWS owned CMK for DDB server-side encryption. The impact of changing from an AWS managed CMK to the default (AWS owned CMK) is that the table will no longer be protected by a CMK in the customer's account. Changing the CMK used to protect a table will not cause a service interruption: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html#encryption.tutorial-update
Please see the DDB Encryption docs for more details on how DDB server-side encryption works: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
Please see the KMS docs for more details on the different kinds of CMKs: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
Relevant content
- asked 5 months ago
- Accepted Answerasked 4 years ago
AWS OFFICIALUpdated 9 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
