DynamoDB tables should be encrypted with AWS or customer managed KMS CMKs


Although DynamoDB tables are encrypted at rest by default with AWS owned CMKs, using AWS managed CMKs or customer managed CMKs provides additional functionality via AWS KMS, such as viewing key policies, auditing usage, and rotating cryptographic material.

Console Remediation Steps

  • Navigate to DynamoDB.

  • In the navigation pane, choose Tables.

  • Select your table.

  • On the Overview tab, locate Encryption Type under Table details.

  • Click Manage Encryption.

  • Select KMS.

  • Click Save.

CLI Remediation Steps

  • KMS encryption can be enabled at table creation and on an existing table.

  • Create a KMS encrypted DynamoDB table:

    • aws dynamodb create-table --table-name <table-name> --attribute-definitions <attribute-names> --key-schema <attribute-names> --provisioned-throughput <throughput-parameters> --sse-specification Enabled=true,SSEType=KMS

  • Update an existing table with KMS encryption:

    • aws dynamodb update-table --table-name <table-name> --sse-specification Enabled=true,SSEType=KMS