DynamoDB - KMS - What is the impact on running services back to Default from AWS Managed CMK

1. Are all the charges from KMS coming from these DynamoDB tables? How to identify that?

All KMS activity is recorded in CloudTrail logs. See our docs on how DDB uses KMS for more information on how to identify DDB intertion with KMS.

https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html#dynamodb-cmk-trail

2. What is the impact of changing encryption for these tables back to "Default" from console? How to change this without service interruption?

The default encryption type uses an AWS owned CMK for DDB server-side encryption. The impact of changing from an AWS managed CMK to the default (AWS owned CMK) is that the table will no longer be protected by a CMK in the customer's account. Changing the CMK used to protect a table will not cause a service interruption: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html#encryption.tutorial-update

Please see the DDB Encryption docs for more details on how DDB server-side encryption works: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

Please see the KMS docs for more details on the different kinds of CMKs: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys