Amazon-rds – How does an encrypted DynamoDB (the same question applies to RDS as well) query work

amazon-rdsdynamodbencryptionencryption-key

I am trying to understand whether the primary key is encrypted when I choose to encrypt at rest for AWS DynamoDB

    1. If the primary key is encrypted, how does a primary-key lookup get
      performed under the hood?
    1. If the primary key is not encrypted, then I know how DynamoDB is
      implemented under the hood, but it seems that it's not entirely safe
      for some use cases. Any comment on this?

Furthermore, if I choose to have a Global Secondary Index for my DynamoDB table, are the primary key of the Global Secondary Index table encrypted?

    1. If not encrypted, I kinda understand how it works under the hood, but certainly some of my data get revealed in plain text;
    1. If encrypted, I'd appreciate understanding how it works.

Best Answer

For DynamoDB encryption at rest, it means the table is encrypted on disk, not each of the attributes of the items in the table. This is true for any database talking about encryption at rest. That at rest means on disk. Now if you were to implement application data level encryption on your own, then what you are talking about would come into play.

One thing to know is that as of a few weeks ago, all DynamoDB tables are encrypted at rest by default.