AWS Security ChangesHomeSearch

AWS aws-backup high security documentation change

Service: aws-backup · 2026-02-16 · Security-related high

File: aws-backup/latest/devguide/restoring-dynamodb.md

Summary

Corrected and clarified encryption options for DynamoDB restores, including AWS-owned, AWS-managed, and customer-managed keys

Security assessment

The changes explicitly document encryption options during restores, which is a critical security control. The correction of encryption types (including KMS key management) directly impacts data protection. Evidence: Added specific encryptionType parameters and KMS key ARN examples.

Diff

diff --git a/aws-backup/latest/devguide/restoring-dynamodb.md b/aws-backup/latest/devguide/restoring-dynamodb.md
index 47bd4534a..9bbb550a6 100644
--- a//aws-backup/latest/devguide/restoring-dynamodb.md
+++ b//aws-backup/latest/devguide/restoring-dynamodb.md
@@ -77 +77 @@ The following is an example of the `restoreMetadata` argument for a `StartRestor
-The preceding example encrypts the restored table using an AWS-owned key. The part of the restore metadata that specifies encryption using the AWS-owned key is: `\"encryptionType\":\"Default\","kmsMasterKeyArn\":\"Not Applicable\"`.
+The preceding example encrypts the restored table using a customer-managed key.
@@ -79 +79 @@ The preceding example encrypts the restored table using an AWS-owned key. The pa
-To encrypt your restored table using an AWS-managed key, specify the following restore metadata: `"encryptionType\":\"KMS\",\"kmsMasterKeyArn\":\"Not Applicable\"`.
+To encrypt your restored table using an AWS-owned key, specify the following restore metadata: `"encryptionType\":\"Default\"`.
@@ -81 +81,3 @@ To encrypt your restored table using an AWS-managed key, specify the following r
-To encrypt your restored table using an customer-managed key, specify the following restore metadata: `"encryptionType\":\"KMS\",\"kmsMasterKeyArn\":\"`arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\"`.
+To encrypt your restored table using an AWS-managed key, omit the `kmsMasterKeyArn` parameter and specify: `"encryptionType\":\"KMS\"`.
+
+To encrypt your restored table using a customer-managed key, specify the following restore metadata: `"encryptionType\":\"KMS\",\"kmsMasterKeyArn\":\"`arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\"`.