Ensure that AWS DynamoDB is encrypted using customer-managed CMK

AWS DynamoDb should be encrypted using customer-managed CMK, instead of AWS-managed CMK. An AWS-managed CMK can only be used to protect resources within the specific AWS service for which it is created. It does not provide the level of granular control that a customer-managed CMK provides. For more control, a best practice is to use a customer-managed CMK in all supported AWS services and in your applications. A customer-managed CMK is created at your request and should be configured based upon your explicit use case.This is required in order to meet encryption regulatory requirements of Server-Side encryption for the sensitive data that may be stored in the DynamoDB

Risk Level: Low
Cloud Entity: Amazon DynamoDB
CloudGuard Rule ID: D9.AWS.CRY.30
Covered by Spectral: Yes
Category: Database


DynamoDbTable should have encryptionType='KMS'


From Portal

  1. Sign in to AWS console.
  2. In the console, select the specific region.
  3. Navigate to DynamoDB dashboard.
  4. Select the reported table from the list of DynamoDB tables.
  5. Choose Additional Settings tab and go to Encryption section.
  6. Click on Manage Encryption tab.
  7. On Manage Encryption pop up window, select Stored in your account, and owned and managed by you to select customer managed CMK as the encryption type.
  8. Click on Save Changes.

From TF

resource "aws_dynamodb_table" "basic_dynamodb_table" {
	server_side_encryption {
		-  kms_key_arn = null
		+  kms_key_arn = KEY_ARN

From Command Line
Run below command to update an encrypted table with a customer managed key for DynamoDB

aws dynamodb update-table --table-name Music --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=KEY_ID


  1. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html
  2. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table
  4. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
  5. https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf

Amazon DynamoDB

Amazon DynamoDB is a fast and flexible nonrelational database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automatic scaling of throughput capacity make it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset