DynamoDB tables should be encrypted with AWS or customer managed KMS keys

Description

Although DynamoDB tables are encrypted at rest by default with AWS owned KMS keys, using AWS managed or customer managed KMS keys provides additional functionality, such as viewing key policies, auditing usage, and rotating cryptographic material.

Remediation Steps

AWS Console

  • Navigate to DynamoDB.

  • In the navigation pane, choose Tables.

  • Select your table.

  • On the Overview tab, locate Encryption Type under Table details.

  • Click Manage Encryption.

  • Select KMS.

  • Click Save.

AWS CLI

  • KMS encryption can be enabled at table creation and on an existing table.

  • Create a KMS encrypted DynamoDB table:

    • aws dynamodb create-table --table-name <table-name> --attribute-definitions <attribute-names> --key-schema <attribute-names> --provisioned-throughput <throughput-parameters> --sse-specification Enabled=true,SSEType=KMS

  • Update an existing table with KMS encryption:

    • aws dynamodb update-table --table-name <table-name> --sse-specification Enabled=true,SSEType=KMS

CloudFormation

JSON

{
  "Properties" : {
    "SSESpecification" : {
      "SSEEnabled" : true,
    }
  }
}
JSON Example Configuration
{
  "Type" : "AWS::DynamoDB::Table",
  "Properties" : {
    "SSESpecification" : {
      "SSEEnabled" : true,
      }
    }
  # other required fields here
}

YAML

Properties:
  SSESpecification:
    SSEEnabled: true
YAML Example Configuration
Type: AWS::DynamoDB::Table
Properties:
  SSESpecification:
    SSEEnabled: true
# other required fields here

Terraform

  • Ensure that the aws_dynamodb_table server_side_encryption block has the enabled field set to “true”.

Example Configuration

resource "aws_dynamodb_table" "example" {
  server_side_encryption {
    enabled = true
  }
  # other required fields here
}