diff --git a/infra/audit_db.tf b/infra/audit_db.tf
index 7e4858a2..a1548f99 100644
--- a/infra/audit_db.tf
+++ b/infra/audit_db.tf
@@ -22,5 +22,8 @@ resource "aws_dynamodb_table" "audit-table" {
     point_in_time_recovery {
         enabled = local.environment == "prod" ? true : false
     }
-    
+    server_side_encryption {
+        enabled = true
+        kms_key_arn = data.aws_kms_key.existing_dynamo_encryption_arn.arn
+    }
 }
\ No newline at end of file
diff --git a/infra/delta_db.tf b/infra/delta_db.tf
index b1b0f374..7f052bff 100644
--- a/infra/delta_db.tf
+++ b/infra/delta_db.tf
@@ -47,4 +47,8 @@ resource "aws_dynamodb_table" "delta-dynamodb-table" {
     point_in_time_recovery {
         enabled = local.environment == "prod" ? true : false
     }
+    server_side_encryption {
+        enabled = true
+        kms_key_arn = data.aws_kms_key.existing_dynamo_encryption_arn.arn
+    }
 }
\ No newline at end of file
diff --git a/infra/endpoints.tf b/infra/endpoints.tf
index 0ed29040..762c0058 100644
--- a/infra/endpoints.tf
+++ b/infra/endpoints.tf
@@ -1,18 +1,33 @@
 resource "aws_security_group" "lambda_redis_sg" {
   vpc_id = data.aws_vpc.default.id
   name   = "immunisation-security-group"
+
+  # Inbound rule to allow traffic only from the VPC CIDR block
   ingress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["172.31.0.0/16"]
   }
 
+  # Outbound rules to specific AWS services using prefix lists
   egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    prefix_list_ids = [
+      "pl-7ca54015",
+      "pl-93a247fa",
+      "pl-b3a742da"
+    ]
+  }
+
+  # Egress rule to allow communication within the same security group
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    self            = true
   }
 }
 
diff --git a/infra/imms_db.tf b/infra/imms_db.tf
index 699c80f0..f7ef0e98 100644
--- a/infra/imms_db.tf
+++ b/infra/imms_db.tf
@@ -42,4 +42,8 @@ resource "aws_dynamodb_table" "events-dynamodb-table" {
     point_in_time_recovery {
         enabled = local.environment == "prod" ? true : false
     }
+    server_side_encryption {
+        enabled = true
+        kms_key_arn = data.aws_kms_key.existing_dynamo_encryption_arn.arn
+    }
 }
\ No newline at end of file
diff --git a/infra/kms_dynamo.tf b/infra/kms_dynamo.tf
new file mode 100644
index 00000000..eaab9304
--- /dev/null
+++ b/infra/kms_dynamo.tf
@@ -0,0 +1,66 @@
+ resource "aws_kms_key" "dynamodb_encryption" {
+  description         = "KMS key for DynamoDB encryption"
+  key_usage           = "ENCRYPT_DECRYPT"
+  enable_key_rotation = true
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "key-default-1",
+  "Statement": [
+    {
+      "Sid": "Allow administration of the key",
+      "Effect": "Allow",
+      "Principal": { "AWS": "arn:aws:iam::345594581768:root" },
+      "Action": [
+        "kms:Create*",
+        "kms:Describe*",
+        "kms:Enable*",
+        "kms:List*",
+        "kms:Put*",
+        "kms:Update*",
+        "kms:Revoke*",
+        "kms:Disable*",
+        "kms:Get*",
+        "kms:Delete*",
+        "kms:ScheduleKeyDeletion",
+        "kms:CancelKeyDeletion",
+        "kms:GenerateDataKey*",
+        "kms:Decrypt",
+        "kms:Tag*"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "KMS KeyUser access",
+      "Effect": "Allow",
+      "Principal": { "AWS": ["arn:aws:iam::345594581768:role/auto-ops"] },
+      "Action": [
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "KMS KeyUser access for DevOps",
+      "Effect": "Allow",
+      "Principal": { "AWS": ["arn:aws:iam::345594581768:role/DevOps"] },
+      "Action": [
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}
+ 
+resource "aws_kms_alias" "dynamodb_encryption" {
+  name          = "alias/imms-event-dynamodb-encryption"
+  target_key_id = aws_kms_key.dynamodb_encryption.key_id
+}
+
+data "aws_kms_key" "existing_dynamo_encryption_arn" {
+  key_id = "alias/imms-event-dynamodb-encryption"
+  arn = aws_kms_key.dynamodb_encryption.arn
+}
\ No newline at end of file
diff --git a/terraform/delta.tf b/terraform/delta.tf
index 9a3c7674..8075526a 100644
--- a/terraform/delta.tf
+++ b/terraform/delta.tf
@@ -85,6 +85,9 @@ data "aws_iam_policy_document" "delta_policy_document" {
         templatefile("${local.policy_path}/aws_sqs_queue.json", {
             "aws_sqs_queue_name" : aws_sqs_queue.dlq.name
         } ),
+        templatefile("${local.policy_path}/dynamo_key_access.json", {
+            "dynamo_encryption_key" : data.aws_kms_key.existing_dynamo_encryption_key.arn
+        }),
         templatefile("${local.policy_path}/aws_sns_topic.json", {
             "aws_sns_topic_name" : aws_sns_topic.delta_sns.name
         } ),
diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf
index 8c1bf430..0764d6f6 100644
--- a/terraform/endpoints.tf
+++ b/terraform/endpoints.tf
@@ -42,6 +42,9 @@ data "aws_iam_policy_document" "imms_policy_document" {
             "local_account" : local.local_account_id
             "queue_prefix" : local.short_prefix
         } ),
+        templatefile("${local.policy_path}/dynamo_key_access.json", {
+            "dynamo_encryption_key" : data.aws_kms_key.existing_dynamo_encryption_key.arn
+        } ),
         templatefile("${local.policy_path}/log_kinesis.json", {
             "kinesis_stream_name" : module.splunk.firehose_stream_name
         } ),
diff --git a/terraform/file_name_processor.tf b/terraform/file_name_processor.tf
index 922135dc..afede93b 100644
--- a/terraform/file_name_processor.tf
+++ b/terraform/file_name_processor.tf
@@ -198,7 +198,10 @@ resource "aws_iam_policy" "filenameprocessor_lambda_kms_access_policy" {
           "kms:Decrypt",
           "kms:GenerateDataKey*"
         ]
-        Resource = data.aws_kms_key.existing_s3_encryption_key.arn
+        Resource = [
+            data.aws_kms_key.existing_s3_encryption_key.arn,
+            data.aws_kms_key.existing_dynamo_encryption_key.arn
+        ]
       }
     ]
   })
diff --git a/terraform/forwarder_lambda.tf b/terraform/forwarder_lambda.tf
index 6463efb1..93e936c5 100644
--- a/terraform/forwarder_lambda.tf
+++ b/terraform/forwarder_lambda.tf
@@ -148,7 +148,8 @@ resource "aws_iam_policy" "forwarding_lambda_exec_policy" {
           "kms:Decrypt",
           "kms:GenerateDataKey*"
         ]
-        Resource = data.aws_kms_key.existing_s3_encryption_key.arn
+        Resource = [data.aws_kms_key.existing_s3_encryption_key.arn,
+                    data.aws_kms_key.existing_dynamo_encryption_key.arn]
       },
       {
         Effect   = "Allow"
diff --git a/terraform/policies/dynamo_key_access.json b/terraform/policies/dynamo_key_access.json
new file mode 100644
index 00000000..d5a58cfb
--- /dev/null
+++ b/terraform/policies/dynamo_key_access.json
@@ -0,0 +1,16 @@
+{
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:GenerateDataKey*"
+      ],
+        "Resource" : [
+            "${dynamo_encryption_key}"
+        ]
+      }
+    ]
+  }
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 4a401774..b52c1b9d 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -52,6 +52,10 @@ data "aws_kms_key" "existing_s3_encryption_key" {
   key_id = "alias/imms-batch-s3-shared-key"
 }
 
+data "aws_kms_key" "existing_dynamo_encryption_key" {
+  key_id = "alias/imms-event-dynamodb-encryption"
+}
+
 variable "aws_region" {
     default = "eu-west-2"
 }