Description:
Amazon DynamoDB is a fully managed, scalable NoSQL database service. DynamoDB integrates with AWS Key Management Service (AWS KMS) to support the encryption at rest server-side encryption feature.
Rational:
By encrypting all of your data at rest with encryption keys maintained in AWS Key Management Service (AWS KMS), DynamoDB encryption at rest provides greater security. This feature aids in reducing the operational burden and complexity of safeguarding sensitive data.
Impact:
With encryption at rest, DynamoDB transparently encrypts all customer data in a DynamoDB table, including its primary key and local and global secondary indexes, whenever the table is persisted to disk.
Default Value:
By default DynamoDB tables are encrypted at rest with AWS-owned CMKs, using AWS-managed CMKs or customer-managed CMKs provides additional functionality via AWS KMS, such as viewing key policies, auditing usage, and rotating cryptographic material.
Audit:
Sign in to AWS Management Console
Navigate to DynamoDB service at https://console.aws.amazon.com/dynamodb
Click on the Tables in the left navigation pane.
- Click on the table name you want to examine
- In the overview tab under the Table details, check the Encryption Type column
If you notice the Encryption Type is DEFAULT, follow the implementation steps to encrypt using AWS KMS
CLI COMMANDS
aws dynamodb describe-table --region us-east-1 --table-name cc-rule-definitions --query 'Table.SSEDescription.SSEType'
Remediation:
Pre-requisites:
Sign as a Admin or IAM user with required permissions
Need KMS key for encryption
Implementation Steps:
Sign in to AWS Management Console
Navigate to DynamoDB service at https://console.aws.amazon.com/dynamodb
Click on the Tables in the left navigation pane
Click on the table name you want to modify
In the Additional Settings tab , scroll down to see encryption click on Manage Encryption.
Manage Encryption wizard will be opened and select the encryption type you want from the options available and choose the key
Click on Save
Via CLI:
aws dynamodb update-table --table-name <value> --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234
Backout plan:
To revoke the changes made, follow the same steps in the Implementation section and in step 6 select the previous option (i.e, you want to roll back).
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html