Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's

AWS DynamoDb should be encrypted using AWS Managed Customer Master Key (CMK), instead of AWS-owned CMK. This is required in order to meet encryption regulatory requirements of Server-Side encryption for the sensitive data that may be stored in the DynamoDB. In addition, encrypting DynamoDb with AWS-managed CMK allows you to view the CMK and its key policy and also audit the encryption/decryption events by examining the DynamoDB API calls using CloudTrail.

Risk Level: Low
Cloud Entity: Amazon DynamoDB
CloudGuard Rule ID: D9.CFT.CRY.04
Covered by Spectral: Yes
Category: Database


AWS_DynamoDB_Table should have SSESpecification.SSEType='KMS' and SSESpecification.KMSMasterKeyId


From CFT
Set AWS::DynamoDB::Table SSESpecification.SSEType property to be 'KMS' and SSESpecification.KMSMasterKeyId to the user managed key ARN


  1. https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html
  2. https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html

Amazon DynamoDB

Amazon DynamoDB is a fast and flexible nonrelational database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automatic scaling of throughput capacity make it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications

Compliance Frameworks

  • AWS CloudFormation ruleset