Profile Applicability:

  • Level 1

Description:
 Encryption in transit ensures that data moving between your DynamoDB table and its clients is encrypted, protecting sensitive data from being intercepted or altered during transmission. AWS provides encryption in transit using TLS (Transport Layer Security) to secure data in transit.

Rationale:
 Encryption in transit protects data from unauthorized access during communication between clients and DynamoDB, ensuring confidentiality and integrity of sensitive data. It also helps meet regulatory compliance requirements for data protection.

Impact:
 Without encryption in transit, data could be intercepted, altered, or disclosed while being transmitted between clients and DynamoDB. This poses a risk to data confidentiality and integrity, potentially violating compliance requirements.

Default Value:
 By default, AWS DynamoDB encrypts data in transit using TLS (HTTPS) when accessing DynamoDB endpoints.

Pre-requisites:

  • An AWS account

  • DynamoDB tables created

  • Understanding of DynamoDB and VPC endpoint configuration

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to DynamoDB > Tables.

  3. Select the table for which encryption in transit needs to be verified.

  4. Review the Table Settings to ensure encryption in transit (HTTPS endpoint) is enabled.

Using AWS CLI:

  1. Run 

    aws dynamodb describe-table --table-name <table-name>


  2. Check the output to ensure that the endpoint is using TLS/SSL encryption. Look for "SSEDescription": {"Status": "ENABLED"} indicating encryption in transit is enabled.

Implementation Plan

Using AWS Console:

  1. Navigate to DynamoDB > Tables in the AWS Management Console.

  2. Select the DynamoDB table you want to secure.

  3. Under the Table Settings, ensure that the endpoint is set to HTTPS, not HTTP.

  4. If not already configured, switch to using the HTTPS endpoint for client connections.

Using AWS CLI:

  1. Update the table to enforce encryption in transit by using HTTPS for DynamoDB API calls.

  2. Use the following command to enable encryption in transit:

    aws dynamodb update-table --table-name <table-name> --stream-specification StreamEnabled=true,StreamViewType=NEW_IMAGE

  3. Ensure all clients use HTTPS endpoints for communication.

Backout Plan

Using AWS Console:

  1. Navigate to DynamoDB > Tables.

  2. Select the table, then modify the endpoint setting to use HTTP instead of HTTPS.

  3. Revert any modifications made for encryption in transit if required.

Using AWS CLI:

  1. Revert the table to HTTP access using the following command:

     aws dynamodb update-table --table-name <table-name> --stream-specification StreamEnabled=false

  2. Ensure the endpoint setting is set to HTTP for client connections.

References: