Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.
In AWS Console -
In Terraform -
In the aws_dynamodb_table resource, set 'server_side_encryption.enabled' to 'true' and set 'server_side_encryption.kms_key_arn' to a valid AWS KMS Key ARN.
References:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption