When to use the AWS Database Encryption SDK - AWS cryptography services

When to use the AWS Database Encryption SDK

Note

On June 9, 2023, the Amazon DynamoDB Encryption Client was renamed to AWS Database Encryption SDK. The AWS Database Encryption SDK continues to support legacy DynamoDB Encryption Client versions.

The AWS Database Encryption SDK is a set of software libraries that enable you to include client-side encryption in your database design. The AWS Database Encryption SDK provides record-level encryption solutions. You specify which fields are encrypted and which fields are included in the signatures that ensure the authenticity of your data. Encrypting your sensitive data in transit and at rest helps ensure that your plaintext data isn’t available to any third party, including AWS.

You can use the AWS Database Encryption SDK for DynamoDB to encrypt and sign your table items before you send them to DynamoDB. It is compatible with the encryption at rest server-side encryption feature that DynamoDB provides for all tables. For a detailed comparison of the AWS Database Encryption SDK for DynamoDB and DynamoDB encryption at rest, see the Client-Side and Server-Side Encryption topic in the AWS Database Encryption SDK Developer Guide.

When Do I Use It?

  • If you need to encrypt and sign DynamoDB table items before you send them to DynamoDB, use the AWS Database Encryption SDK for DynamoDB.

When Do I Use Something Else?

  • You can rely on the server-side encryption at rest feature that Amazon DynamoDB provides. DynamoDB transparently encrypts all tables before writing them to disk and transparently decrypts the tables when you get them. Encryption at rest is provided by default, and you cannot disable it. However, if your data security standards require it, you can use both the AWS Database Encryption SDK and encryption at rest on your table data.

  • With the AWS Database Encryption SDK, you can specify which attribute values you encrypt and which attributes are included in the item signature.