For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-x6u.md. A documentation index is available at /llms.txt.

DynamoDB tables should be encrypted with a customer-managed KMS key

dynamodb

Description

DynamoDB tables should be encrypted using a customer-managed KMS key rather than the default AWS-owned key. Customer-managed keys provide full control over key rotation policies, access permissions via KMS key policies, and the ability to revoke or disable the key.

Remediation

Update the table’s encryption settings to use a customer-managed KMS key. For guidance, refer to DynamoDB encryption at rest.