Status: IN
DynamoDB encryption provides defense-in-depth with a zero-cost baseline: AWS owned keys are free with no KMS quota impact, customer-managed keys add audit trails via encryption context (table name + account ID), and KMS key caching with 5-minute refresh limits operational overhead.