Detections
Analytics

Ensure server side encryption (SSE) is using a customer-managed KMS Key for AWS DynamoDB tables

HIGH

Description

AWS DynamoDb tables can be encrypted with a DynamoDB-managed key or a key from the customer's KMS service that's managed either by AWS or the customer. Choosing the latter gives the customer the most flexibility and better security overall. Having full ownership of the keys used for encryption across the cloud infrastructure gives the customer the ability to set permissions on the keys directly, disable them in the event of a breach, rotate the keys as needed, and even schedule them for deletion. It is considered best practice to use KMS Keys that are fully customer-managed whenever possible.

Remediation

In AWS Console -

  1. Sign in to AWS Console and go to the AWS DynamoDB table.
  2. Select Tables in the navigation pane.
  3. Choose the necessary table.
  4. Select the Additional Settings tab and locate the encryption section.
  5. Select Manage Encryption and choose either 'AWS managed key' or 'Stored in your account, and owned and managed by you'.
  6. Click Save.
    Note: it is recommended that users choose 'Stored in your account, and owned and managed by you'.

In Terraform -

  1. In the aws_dynamodb_table resource, set 'server_side_encryption.enabled' to 'true'.
  2. Set 'server_side_encryption.kms_key_arn' to a valid AWS KMS Key ARN.

References:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption

Policy Details

Rule Reference ID: AC_AWS_0376
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_dynamodb_table
Resource Category: Database
Resource Type: DynamoDB

Frameworks