Profile Applicability:

  • Level 1

Description:

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. To enhance security and limit access to sensitive data, it's important to ensure that DynamoDB tables are not accessible from other AWS accounts unless explicitly intended. This SOP ensures that the DynamoDB tables in your account are configured to prevent cross-account access unless it is explicitly required for business or operational purposes.

Rationale:

  • Security: Allowing access to DynamoDB tables from other AWS accounts without proper control could expose sensitive data or lead to unauthorized access. Ensuring that cross-account access is restricted helps maintain security.

  • Compliance: Many security and compliance frameworks (e.g., SOC 2, PCI-DSS, HIPAA) require that sensitive data be protected from unauthorized access, including access from other AWS accounts.

  • Best Practices: Restricting cross-account access to DynamoDB tables follows best practices for data security and minimizes the risk of data breaches or unauthorized changes.

Impact:

Pros:

  • Increased Security: Prevents unauthorized access to your DynamoDB tables from other AWS accounts.

  • Improved Compliance: Helps meet security and compliance requirements by ensuring that access to data is properly controlled.

  • Access Control: Ensures that only authorized accounts or users within your own organization can access your DynamoDB tables.

Cons:

  • Operational Overhead: If cross-account access is required for legitimate use cases, you may need to explicitly configure access for trusted accounts, which could increase administrative overhead.

  • Configuration Errors: If access restrictions are not configured properly, it could prevent legitimate access from trusted AWS accounts, causing service disruptions.

Default Value:

By default, DynamoDB tables are not accessible from other AWS accounts unless cross-account permissions are explicitly granted through IAM roles, resource-based policies, or AWS Identity and Access Management (IAM) policies.

Pre-requisite:

  • AWS IAM Permissions:

    • dynamodb:ListTables

    • dynamodb:DescribeTable

    • dynamodb:PutItem

    • dynamodb:GetItem

    • dynamodb:UpdateTable

  • AWS CLI installed and configured.

  • DynamoDB tables should already be created and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to DynamoDB under Services.

  3. In the DynamoDB Console, select Tables and choose a table you want to check for cross-account access.

  4. Under the Permissions section of the table details, verify if there are any resource-based policies allowing access from other AWS accounts.

  5. Ensure that no cross-account access is granted unless explicitly required.

  6. If cross-account access is found, verify that it is intentional and follows the principle of least privilege.

Using AWS CLI:

  1. To list the resource-based policies for a DynamoDB table, run:

    aws dynamodb describe-table --table-name <table-name> --query 'Table.TableArn'

  2. Retrieve the IAM policies and ensure there are no policies allowing access to other AWS accounts, unless explicitly configured for valid use cases:

    aws dynamodb list-table-roles --table-name <table-name>

  3. Verify the IAM roles associated with the table and review the cross-account access permissions in the policies.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to DynamoDB.

  2. Select the table you want to review and check its Permissions settings.

  3. If any resource-based policies grant access to other AWS accounts, review and modify them to restrict access to only the trusted accounts or remove unnecessary policies.

  4. To modify or add access control:

    • Use IAM roles and policies to restrict access to specific AWS accounts.

    • Use AWS KMS to encrypt your table if additional access control is needed based on encryption.

  5. Ensure that no cross-account access exists unless absolutely necessary.

Using AWS CLI:

  1. If cross-account access exists, remove or restrict access by updating the IAM policies associated with the DynamoDB table:

    aws dynamodb update-table --table-name <table-name> --no-cross-account-access

  2. If cross-account access is required, ensure that the appropriate IAM roles are created for trusted AWS accounts with restricted permissions.

Backout Plan:

Using AWS Console:

  1. If restricting access causes issues, sign in to the AWS Management Console.

  2. Navigate to DynamoDB, select the table, and go to Edit access.

  3. Restore the previous access settings or modify the IAM roles/policies to allow the necessary cross-account access.

  4. Verify that access has been restored for the appropriate accounts.

Using AWS CLI:

  1. If you accidentally removed required access, you can revert by updating the policies using the following command:

    aws dynamodb update-table --table-name <TABLE_NAME> --region <REGION> --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5

  2. Verify that access has been restored:

    aws dynamodb describe-table --table-name <TABLE_NAME> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.