Profile Applicability:

  • Level 1

Description:
 Amazon DynamoDB provides the ability to encrypt data at rest to help protect sensitive information. Encryption at rest ensures that the data stored in the DynamoDB tables is encrypted using AWS Key Management Service (KMS). This is important to protect against unauthorized access to the data even if someone gains physical access to the underlying storage.

Rationale:
 Encrypting data at rest ensures that sensitive data is protected from unauthorized access, even if the data is physically compromised. It helps in maintaining compliance with security standards and regulations that require encryption of sensitive data, such as PCI-DSS, HIPAA, and others.

Impact:
 Without encryption at rest, your DynamoDB data is vulnerable to unauthorized access, especially in the event of a breach in the storage layer. This could expose sensitive business or customer data, leading to severe security and compliance risks.

Default Value:
 By default, DynamoDB tables use encryption at rest with the AWS-owned customer master key (CMK). However, custom keys can be used for additional control.

Pre-requisites:

  • An AWS account

  • DynamoDB tables created

  • AWS Key Management Service (KMS) available

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to DynamoDB > Tables.

  3. Select the desired DynamoDB table.

  4. In the Table details, under the Encryption at rest section, ensure that Encryption is set to Enabled with a KMS key (either the default AWS managed CMK or a custom KMS key).

Using AWS CLI:

  1. Run 

    aws dynamodb describe-table --table-name <table-name>

  2. In the output, check the SSEDescription field.

  3. Ensure that the SSEType is KMS and the KMSMasterKeyId is not null.

Implementation Plan

Using AWS Console:

  1. Go to DynamoDB > Tables in the AWS Management Console.

  2. Select the table you want to enable encryption for.

  3. Under Encryption at rest, click Enable encryption if it’s disabled.

  4. Choose to use the AWS managed CMK or create/select a custom KMS key.

  5. Save the changes to apply encryption at rest.

Using AWS CLI:

  1. To enable encryption at rest on a new table, use the following command:

    aws dynamodb create-table --table-name <table-name> --attribute-definitions AttributeName=<attribute-name>,AttributeType=S --key-schema AttributeName=<attribute-name>,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=<kms-key-id>

  2. For an existing table, update the table to enable encryption:

    aws dynamodb update-table --table-name <table-name> --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=<kms-key-id>

Backout Plan

Using AWS Console:

  1. Go to DynamoDB > Tables.

  2. Select the table and go to Table details.

  3. Under Encryption at rest, change the setting to Disabled.

  4. Confirm the changes and save.

Using AWS CLI:

  1. Run the following command to disable encryption at rest:

     aws dynamodb update-table --table-name <table-name> --sse-specification Enabled=false

References: