Ensure that user data stored within Amazon DynamoDB tables is encrypted at rest using Amazon Key Management Service (KMS). Encryption at rest integrates with Amazon KMS for managing the encryption keys that are used to encrypt your tables. To have a more granular control over your data encryption and decryption process, ensure that your tables are configured to use the AWS-managed KMS key (i.e. **aws/dynamodb**) or your own KMS Customer Managed Key (CMK). To comply with rigorous regulatory standards, the AWS-owned key (default key) should not be used for encryption at rest in Amazon DynamoDB.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Encryption at rest in DynamoDB enhances security by encrypting your data using keys stored and managed with Amazon Key Management Service (KMS). Organizational policies, industry or government regulations, and internal compliance requirements often require the use of Amazon KMS keys for encryption of data at rest. Encryption with Amazon KMS simplifies the task of safeguarding sensitive data, reducing operational burden and complexity. By implementing encryption at rest with Amazon KMS keys, you can develop applications with robust security measures that comply with strict encryption standards and regulatory requirements.
Audit
To determine the encryption type configured for your Amazon DynamoDB tables, perform the following actions:
Remediation / Resolution
To ensure that user data stored in your Amazon DynamoDB tables is encrypted at rest using Amazon Key Management Service (KMS), perform the following actions:
References
- AWS Documentation
- Amazon DynamoDB FAQs
- DynamoDB Encryption at Rest
- Encryption at Rest: How It Works
- Managing Encrypted Tables in DynamoDB
- AWS Command Line Interface (CLI) Documentation
- list-tables
- describe-table
- update-table
- create-key
- create-alias
- CloudFormation Documentation
- Amazon DynamoDB resource type reference
- Terraform Documentation
- AWS Provider
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Encryption at Rest with Amazon KMS Keys
Risk Level: High