Description:

Amazon DynamoDB is a fully managed, scalable NoSQL database service. DynamoDB integrates with AWS Key Management Service (AWS KMS) to support the encryption at rest server-side encryption feature.


Rational:

By encrypting all of your data at rest with encryption keys maintained in AWS Key Management Service (AWS KMS), DynamoDB encryption at rest provides greater security. This feature aids in reducing the operational burden and complexity of safeguarding sensitive data.


Impact:

With encryption at rest, DynamoDB transparently encrypts all customer data in a DynamoDB table, including its primary key and local and global secondary indexes, whenever the table is persisted to disk.


Default Value:

By default DynamoDB tables are encrypted at rest with AWS-owned CMKs, using AWS-managed CMKs or customer-managed CMKs provides additional functionality via AWS KMS, such as viewing key policies, auditing usage, and rotating cryptographic material.


Audit:

  1. Sign in to AWS Management Console

  2. Navigate to DynamoDB service at https://console.aws.amazon.com/dynamodb

  3. Click on the Tables in the left navigation pane.

  4. Click on the table name you want to examine
  5. In the overview tab under the Table details, check the Encryption Type column
  6. If you notice the Encryption Type is DEFAULT, follow the implementation steps to encrypt using AWS KMS

CLI COMMANDS

aws dynamodb describe-table
  --region us-east-1
  --table-name cc-rule-definitions
  --query 'Table.SSEDescription.SSEType'

Remediation:

Pre-requisites:

  1. Sign as a Admin or IAM user with required permissions

  2. Need KMS key for encryption

Implementation Steps:

  1. Sign in to AWS Management Console

  2. Navigate to DynamoDB service at https://console.aws.amazon.com/dynamodb

  3. Click on the Tables in the left navigation pane

  4. Click on the table name you want to modify

  5. In the Additional Settings tab , scroll down to see encryption click on Manage Encryption.

  6. Manage Encryption wizard will be opened and select the encryption type you want from the options available and choose the key

  7. Click on Save

Via CLI:

aws dynamodb update-table 
--table-name <value>
--sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234

Backout plan:

To revoke the changes made, follow the same steps in the Implementation section and in step 6 select the previous option (i.e, you want to roll back).

Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html