Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
AWS DynamoDb should be encrypted using AWS Managed Customer Master Key (CMK), instead of AWS-owned CMK. This is required in order to meet encryption regulatory requirements of Server-Side encryption for the sensitive data that may be stored in the DynamoDB. In addition, encrypting DynamoDb with AWS-managed CMK allows you to view the CMK and its key policy and also audit the encryption/decryption events by examining the DynamoDB API calls using CloudTrail.
Risk Level: Low
Cloud Entity: Amazon DynamoDB
CloudGuard Rule ID: D9.CFT.CRY.04
Covered by Spectral: Yes
Category: Database
GSL LOGIC
AWS_DynamoDB_Table should have SSESpecification.SSEType='KMS' and SSESpecification.KMSMasterKeyId
REMEDIATION
From CFT
Set AWS::DynamoDB::Table SSESpecification.SSEType
property to be 'KMS' and SSESpecification.KMSMasterKeyId to the user managed key ARN
References
- https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html
- https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html
Amazon DynamoDB
Amazon DynamoDB is a fast and flexible nonrelational database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automatic scaling of throughput capacity make it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago