DynamoDB best encryption tier?


DynamoDB offers encryption at rest, in 3 tiers: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

  1. AWS owned CMK – Default encryption type. The key is owned by DynamoDB (no additional charge).
  2. AWS managed CMK – The key is stored in your account and is managed by AWS KMS (AWS KMS charges apply).
  3. Customer managed CMK – The key is stored in your account and is created, owned, and managed by you. You have full control over the CMK (AWS KMS charges apply).

what is the best tier to use if i want to use it over the application level encryption in your opinion and why ?