DynamoDB tables should be encrypted with KMS CMKs


When enabled, DynamoDB encryption secures the primary key, local and global secondary indexes, streams, global tables, and backups in the encrypted table. DynamoDB tables are encrypted using KMS keys.

Console Remediation Steps

  • Navigate to DynamoDB.

  • In the navigation pane, choose Tables.

  • Select your table.

  • On the Overview tab, locate Encryption Type under Table details.

  • Click Manage Encryption.

  • Select KMS.

  • Click Save.

CLI Remediation Steps

  • KMS encryption can be enabled at table creation and on an existing table.

  • Create a KMS encrypted DynamoDB table:

    • aws dynamodb create-table --table-name <table-name> --attribute-definitions <attribute-names> --key-schema <attribute-names> --provisioned-throughput <throughput-parameters> --sse-specification Enabled=true,SSEType=KMS

  • Update an existing table with KMS encryption:

    • aws dynamodb update-table --table-name <table-name> --sse-specification Enabled=true,SSEType=KMS