DynamoDB tables should be encrypted with AWS or customer managed KMS keys¶
Description¶
Although DynamoDB tables are encrypted at rest by default with AWS owned KMS keys, using AWS managed or customer managed KMS keys provides additional functionality, such as viewing key policies, auditing usage, and rotating cryptographic material.
Remediation Steps¶
AWS Console¶
Navigate to DynamoDB.
In the navigation pane, choose Tables.
Select your table.
On the Overview tab, locate Encryption Type under Table details.
Click Manage Encryption.
Select KMS.
Click Save.
AWS CLI¶
KMS encryption can be enabled at table creation and on an existing table.
Create a KMS encrypted DynamoDB table:
aws dynamodb create-table --table-name <table-name> --attribute-definitions <attribute-names> --key-schema <attribute-names> --provisioned-throughput <throughput-parameters> --sse-specification Enabled=true,SSEType=KMS
Update an existing table with KMS encryption:
aws dynamodb update-table --table-name <table-name> --sse-specification Enabled=true,SSEType=KMS
CloudFormation¶
JSON¶
Ensure that AWS::DynamoDB::Table contains the following:
{
"Properties" : {
"SSESpecification" : {
"SSEEnabled" : true,
}
}
}
JSON Example Configuration¶
{
"Type" : "AWS::DynamoDB::Table",
"Properties" : {
"SSESpecification" : {
"SSEEnabled" : true,
}
}
# other required fields here
}
YAML¶
Ensure that AWS::DynamoDB::Table contains the following:
Properties:
SSESpecification:
SSEEnabled: true
YAML Example Configuration¶
Type: AWS::DynamoDB::Table
Properties:
SSESpecification:
SSEEnabled: true
# other required fields here
Terraform¶
Ensure that the aws_dynamodb_table
server_side_encryption
block has theenabled
field set to “true”.
Example Configuration¶
resource "aws_dynamodb_table" "example" {
server_side_encryption {
enabled = true
}
# other required fields here
}