AWS DynamoDb tables can be encrypted with a DynamoDB-managed key or a key from the customer's KMS service that's managed either by AWS or the customer. Choosing the latter gives the customer the most flexibility and better security overall. Having full ownership of the keys used for encryption across the cloud infrastructure gives the customer the ability to set permissions on the keys directly, disable them in the event of a breach, rotate the keys as needed, and even schedule them for deletion. It is considered best practice to use KMS Keys that are fully customer-managed whenever possible.
In AWS Console -
In Terraform -
References:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption