Ensure that AWS DynamoDB is encrypted using customer-managed CMK
AWS DynamoDb should be encrypted using customer-managed CMK, instead of AWS-managed CMK. An AWS-managed CMK can only be used to protect resources within the specific AWS service for which it is created. It does not provide the level of granular control that a customer-managed CMK provides. For more control, a best practice is to use a customer-managed CMK in all supported AWS services and in your applications. A customer-managed CMK is created at your request and should be configured based upon your explicit use case.This is required in order to meet encryption regulatory requirements of Server-Side encryption for the sensitive data that may be stored in the DynamoDB
Risk Level: Low
Cloud Entity: Amazon DynamoDB
CloudGuard Rule ID: D9.AWS.CRY.30
Covered by Spectral: Yes
Category: Database
GSL LOGIC
DynamoDbTable should have encryptionType='KMS'
REMEDIATION
From Portal
- Sign in to AWS console.
- In the console, select the specific region.
- Navigate to DynamoDB dashboard.
- Select the reported table from the list of DynamoDB tables.
- Choose Additional Settings tab and go to Encryption section.
- Click on Manage Encryption tab.
- On Manage Encryption pop up window, select Stored in your account, and owned and managed by you to select customer managed CMK as the encryption type.
- Click on Save Changes.
From TF
resource "aws_dynamodb_table" "basic_dynamodb_table" {
server_side_encryption {
- kms_key_arn = null
+ kms_key_arn = KEY_ARN
}
}
From Command Line
Run below command to update an encrypted table with a customer managed key for DynamoDB
aws dynamodb update-table --table-name Music --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=KEY_ID
References
- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html
- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table
- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
- https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf
Amazon DynamoDB
Amazon DynamoDB is a fast and flexible nonrelational database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automatic scaling of throughput capacity make it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications
Compliance Frameworks
- AWS CCPA Framework
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard CheckUp
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago