AWS Security ChangesHomeSearch

AWS amazondynamodb documentation change

Service: amazondynamodb · 2026-07-04 · Documentation low

File: amazondynamodb/latest/developerguide/encryption.usagenotes.md

Summary

Added clarification that KMS key aliases resolve to specific key IDs at assignment time, and alias updates don't automatically rotate encryption keys for existing tables.

Security assessment

This documents expected encryption key management behavior but doesn't address a specific vulnerability. It enhances security documentation by clarifying key rotation requirements, but lacks evidence of fixing an existing security issue.

Diff

diff --git a/amazondynamodb/latest/developerguide/encryption.usagenotes.md b/amazondynamodb/latest/developerguide/encryption.usagenotes.md
index 77397efc3..337708749 100644
--- a//amazondynamodb/latest/developerguide/encryption.usagenotes.md
+++ b//amazondynamodb/latest/developerguide/encryption.usagenotes.md
@@ -75,0 +76,4 @@ You select the KMS key for a table when you create or update the table. You can
+###### Note
+
+When you specify a KMS key by using a key alias, DynamoDB resolves the alias to the underlying KMS key ID at the time you set it and associates that KMS key with the table. If you later change the alias to point to a different KMS key, the table continues to use the originally resolved KMS key; updating the alias does not change the KMS key that protects the table. To protect the table with a different KMS key, change the table's encryption key directly in the DynamoDB console or by using the [UpdateTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTable.html) operation.
+