Detections
Analytics

Ensure customer managed keys (CMK) are used for server side encryption (SSE) of AWS DyanamoDB tables

MEDIUM

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

In AWS Console -

  1. Sign in to AWS Console and go to the AWS DynamoDB table.
  2. Select Tables in the navigation pane.
  3. Select the necessary table.
  4. Find Encryption Type under Table details in the Overview tab.
  5. Select Manage Encryption and select KMS.
  6. Click Save.

In Terraform -
In the aws_dynamodb_table resource, set 'server_side_encryption.enabled' to 'true' and set 'server_side_encryption.kms_key_arn' to a valid AWS KMS Key ARN.

References:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption

Policy Details

Rule Reference ID: AC_AWS_0078
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_dynamodb_table
Resource Category: Database
Resource Type: DynamoDB

Frameworks