Cannot change DynamoDB serverSideEncryption from true to false

When you have already deployed a DynamoDB table with serverSideEncryption: true, you cannot change it to false. Changing it to false results in a CloudFormation deploy error. This most likely happens because AWS CDK removes the underlying CloudFormation property SSESpecification / SSEEnabled instead of setting it to false at https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-dynamodb/lib/table.ts#L1355

I have successfully changed the CloudFormation property SSESpecification / SSEEnabled: true to false when using CloudFormation directly. And I also get the same error if I try to remove the property completely.

I think AWS CDK needs some way to configure DynamoDB Tables so that the SSESpecification / SSEEnabled: false property is included in the CloudFormation stack.

PS: The reason to change serverSideEncryption to false is that it results in DEFAULT encryption being used, which doesn’t cost anything. When serverSideEncryption is true, the mode is KMS - AWS managed CMK and AWS charges you for it. At least that’s what the DynamoDB console says.

Reproduction Steps

1. Deploy a DynamoDB table with serverSideEncryption: true
2. Change it to serverSideEncryption: false and try to deploy the update

Error Log

CloudFormation error when deploying update:

At least one of ProvisionedThroughput, BillingMode, UpdateStreamEnabled, GlobalSecondaryIndexUpdates or SSESpecification or ReplicaUpdates is required (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: ValidationException

Environment

• CLI Version : 1.42.0 (build 3b64241)
• Framework Version: 1.42.0
• OS : Linux
• Language : TypeScript

Other

This is 🐛 Bug Report