Profile Applicability:

  • Level 1

Description:

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. Encryption at rest ensures that the data stored in DynamoDB tables is encrypted to protect sensitive information. By default, DynamoDB uses AWS-managed keys for encryption, but organizations may choose to use Customer Master Keys (CMK) from AWS Key Management Service (KMS) for more granular control over encryption. This SOP ensures that DynamoDB tables are encrypted at rest using CMK KMS.

Rationale:

  • Security: Encryption at rest ensures that the data stored in DynamoDB is protected even if physical storage is compromised. Using CMK KMS provides an added layer of control over encryption and key management, ensuring that only authorized entities can decrypt sensitive data.

  • Compliance: Many security frameworks and compliance regulations, such as SOC 2, PCI-DSS, and HIPAA, require that data be encrypted both in transit and at rest. Using CMK KMS helps meet these regulatory requirements.

  • Best Practices: Using CMK KMS allows organizations to have better control over key management policies, key rotation, and auditing, providing a more secure setup than using AWS-managed keys.

Impact:

Pros:

  • Increased Security: Data stored in DynamoDB is encrypted at rest, and only authorized users can access or decrypt the data.

  • Compliance: Helps meet the requirements of security and compliance frameworks that mandate encryption at rest with customer-controlled keys.

  • Granular Control: Using CMK KMS allows the organization to manage encryption keys, define access policies, and audit key usage.

Cons:

  • Complexity: Using CMK KMS introduces additional management overhead, including key rotation and auditing.

  • Performance: There could be a slight performance overhead due to the encryption and decryption processes.

Default Value:

By default, DynamoDB encrypts tables with AWS-managed keys. If the organization requires the use of CMK KMS for encryption, it must be explicitly configured when creating or modifying the DynamoDB table.

Pre-requisite:

  • AWS IAM Permissions:

    • dynamodb:DescribeTable

    • kms:DescribeKey

    • kms:ListAliases

  • AWS CLI installed and configured.

  • DynamoDB Table created and operational.

  • KMS Key (CMK) available for encryption purposes.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to DynamoDB under Services.

  3. In the DynamoDB Console, select Tables.

  4. Choose the DynamoDB table you want to check.

  5. In the Table details page, locate the Encryption at Rest section.

    • If CMK KMS is enabled, the Encryption at rest section will show the KMS Key ARN.

    • If the table is using AWS-managed keys, it will show as "AWS owned key".

  6. If the table is not using CMK KMS for encryption, follow the Implementation Steps below to enable it.

Using AWS CLI:

  1. To describe the DynamoDB table and check the encryption settings, run:

    aws dynamodb describe-table --table-name <table-name> --query 'Table.SSEDescription'

  2. The output will return the encryption information:

  • If the table is using CMK KMS encryption, it will display the KMS Key ARN.

  • If the table is using AWS-managed encryption, it will show "AWS_OWNED_KMS_KEY".

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to DynamoDB.

  2. In the DynamoDB Console, select Tables and choose the table to update.

  3. Under Table details, click on Modify.

  4. In the Encryption at rest section, select Enable encryption with CMK.

  5. Choose the KMS key (Customer Master Key) from the available keys or create a new CMK if needed.

  6. Save the changes to enable encryption at rest with CMK KMS.

Using AWS CLI:

  1. To modify the DynamoDB table and enable CMK KMS encryption at rest, run:

    aws dynamodb update-table --table-name <table-name> --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=<cmk-id>

  2. Verify the changes by running:

    aws dynamodb describe-table --table-name <table-name> --query 'Table.SSEDescription'

Backout Plan:

Using AWS Console:

  1. If enabling CMK encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to DynamoDB, select the table, and go to Edit encryption settings.

  3. Switch the encryption type to AWS-managed key.

  4. Save the changes and verify that the table is now using the AWS-managed key.

Using AWS CLI:

  1. To switch to AWS-managed encryption, use the following command:

    aws dynamodb update-table --table-name <TABLE_NAME> --sse-specification Enabled=true,SSEType=AES256 --region <REGION>

  2. Verify that the table is now using AWS-managed encryption by describing the table again:

    aws dynamodb describe-table --table-name <TABLE_NAME> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.