We develop a PWA that needs hipaa compliance based on AWS. In this paper writes AWS AWS Architecture Whitepaper when PHI is stored in DynamoDB needs to encrypt before is stored in DynamoDB. Now has AWS relased Enryiption at Rest at some DynamoDB regions. Is it required to encrypt PHI when i enable encryption at DynamoDB level to be hipaa compliance?
Using DynamoDB's server-side encryption option is sufficient. You do not need to pre-encrypt the data before sending it to DynamoDB for encryption. The data also needs to be encrypted in transit to DynamoDB, of course.
Note that while HIPAA itself requires encryption at rest, AWS additionally requires that you store the data in an AWS HIPAA-eligible service (which DynamoDB is).
You must additionally execute an AWS BAA and then you may use any AWS service (even those not on the HIPAA-eligible list) in an account designated as a HIPAA Account, but you may only process, store and transmit PHI data using the HIPAA-eligible services.
Update November 2018: all DynamoDB tables are encrypted at rest.