Description:
AWS DynamoDB tables can be encrypted at rest using a customer-managed KMS key (CMK). This helps to protect the data in the table from unauthorized access.
Rationale:
Data in DynamoDB tables is stored in the AWS Cloud, which is a secure environment. However, it is still possible for unauthorized users to access the data if it is not encrypted. By encrypting the data in DynamoDB tables, you can help to protect it from unauthorized access.
Impact:
If DynamoDB tables are not encrypted at rest, then they could be vulnerable to attack. This could lead to unauthorized access to sensitive data, such as customerPII, financial data, and intellectual property.
Default Value:
By default, DynamoDB tables are not encrypted at rest. You must explicitly enable encryption for each table.
Pre-requisites:
- You must have an AWS account and be logged in to the AWS Management Console.
- You must have a CMK created in KMS.
Remediation Steps:
- Sign in to the AWS Management Console.
- Go to the AWS DynamoDB console.
- Click the name of the table that you want to encrypt.
- On the Table details page, click the Encryption tab.
- In the Encryption at rest section, select the Enable encryption at rest checkbox.
- Select the CMK that you want to use for encryption.
- Click Save.
Test Plan:
- Verify that the Enable encryption at rest checkbox is selected.
- Verify that the CMK that you selected is the correct key.
- Try to access the data in the table using the AWS CLI.
- If you are unable to access the data, then it is encrypted.
Implementation Plan:
- Create a policy that requires all DynamoDB tables to be encrypted at rest.
- Implement the policy by enabling encryption for all DynamoDB tables.
- Monitor the status of the policy to ensure that all DynamoDB tables are encrypted at rest.
AWS CLI Process:
- Run the following command to enable encryption for a DynamoDB table:
aws dynamodb update-table --table-name my-table --encryption-at-rest-enabled true --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Using AWS GUI:
- Go to the AWS DynamoDB console.
- Click the name of the table that you want to encrypt.
- On the Table details page, click the Encryption tab.
- In the Encryption at rest section, select the Enable encryption at rest checkbox.
- Select the CMK that you want to use for encryption.
- Click Save.
Backout Plan:
- If you accidentally enable encryption for a DynamoDB table that should not be encrypted, you can disable encryption by following the same steps as above, but unselecting the Enable encryption at rest checkbox.
- You can also roll back the policy that requires all DynamoDB tables to be encrypted at rest.
Note:
- This policy only applies to DynamoDB tables that are encrypted at rest using a CMK. Other DynamoDB tables may not be encrypted.
- You can also use the AWS CLI or the AWS DynamoDB API to enable encryption for DynamoDB tables.
- For more information, see the AWS DynamoDB documentation on encrypting tables at rest: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html.
Reference:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html