Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

DynamoDB Server-Side Encryption

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your AWS DynamoDB data at rest (tables, local secondary indexes, global secondary indexes and backups) is encrypted using Server-Side Encryption (SSE). The encryption process is using AWS-managed keys stored in AWS Key Management Service (KMS), adds no storage overhead and is completely transparent – you can insert, query, scan and delete items as before.

Security

When Server-Side Encryption (also known as encryption at rest) is enabled for your Amazon DynamoDB tables, you can effortlessly use the service for security-sensitive applications with strict encryption compliance and regulatory requirements.

Note: As of February 2018, Server-Side Encryption for DynamoDB is generally available in US East (N. Virginia), US East (Ohio), US West (Oregon) and EU (Ireland) at no extra cost (only AWS KMS encryption key usage charges apply).

Audit

To determine if encryption at rest is enabled for your Amazon DynamoDB tables, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables.

04 Select the DynamoDB table that you want to examine.

05 Select the Overview tab to access the resource details panel.

06 On the Overview panel, within Table details section, check the Encryption configuration attribute value. If the attribute value is set to DISABLED, the encryption at rest (i.e. Server-Side Encryption) is not enabled for the selected Amazon DynamoDB table.

07 Repeat steps no. 4 – 6 to verify if other DynamoDB tables, available in the current region, are encrypted using Server-Side Encryption (SSE).

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) using custom query filters to list the names of all DynamoDB tables created in the selected AWS region: 

aws dynamodb list-tables
	--region us-east-1
	--output table
	--query 'TableNames'

02 The command output should return the requested DynamoDB table names: 

------------------------
|      ListTables      |
+----------------------+
| cc-product-reviews   |
| cc-product-inventory |
+----------------------+

03 Run describe-table command (OSX/Linux/UNIX) using the name of the DynamoDB table that you want to examine as identifier and custom query filters to expose the Server-Side Encryption feature status for the selected AWS DynamoDB table: 

aws dynamodb describe-table
	--region us-east-1
	--table-name cc-product-reviews
	--query "Table.SSEDescription.Status"

04 The command output should return the current status set for the SSE feature: 

DISABLED

If describe-table command output returns DISABLED, as shown in the example above, the Server-Side Encryption feature is currently disabled, therefore encryption at rest is not enabled for the selected AWS DynamoDB table.

05 Repeat step no. 3 and 4 to verify if other Amazon DynamoDB tables, available within the current region, are encrypted using SSE.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To make use of Server-Side Encryption (SSE) feature for your new Amazon DynamoDB tables, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables.

04 Click Create table to initiate the setup process for the new DynamoDB table.

05 On the Create DynamoDB table page, perform the following:

  1. In the Table name box, type the name of the new DynamoDB table.
  2. For Primary key, within the Partition key box, type the primary key that will used by the table, then select the data type from the dropdown list available next to Partition key. (Optional) Select Add sort key checkbox if you want to define a sort key.
  3. Under Table settings, uncheck Use default settings checkbox and configure the table's default settings based on your requirements.
  4. Within Encryption At Rest section, select Enable encryption checkbox to enable encryption at rest for the new table.
  5. Once the table is fully configured, click Create to create the new DynamoDB table. As soon as the setup process is completed, the Encryption attribute value, available within Table details section, should be set to ENABLED.

06 Repeat step no. 4 and 5 to enable Server-Side Encryption (SSE) for other new AWS DynamoDB tables during setup process.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run create-table command (OSX/Linux/UNIX) to create a new DynamoDB table within your AWS account and enable Server-Side Encryption (SSE) during the setup process by setting --sse-specification parameter to Enabled=true, as shown in the command example below: 

aws dynamodb create-table
	--region us-east-1
	--table-name cc-product-reviews
	--attribute-definitions AttributeName=ProductName,AttributeType=S AttributeName=ProductType,AttributeType=S
	--key-schema AttributeName=ProductName,KeyType=HASH AttributeName=ProductType,KeyType=RANGE
	--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
	--sse-specification Enabled=true

02 The command output should return the new DynamoDB table metadata: 

{
    "TableDescription": {
        "TableArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-product-reviews",
        "AttributeDefinitions": [
            {
                "AttributeName": "ProductName",
                "AttributeType": "S"
            },
            {
                "AttributeName": "ProductType",
                "AttributeType": "S"
            }
        ],
        "ProvisionedThroughput": {
            "NumberOfDecreasesToday": 0,
            "WriteCapacityUnits": 5,
            "ReadCapacityUnits": 5
        },
        "TableName": "cc-product-reviews",

        ...

        "SSEDescription": {
            "Status": "ENABLED"
        },
        "KeySchema": [
            {
                "KeyType": "HASH",
                "AttributeName": "ProductName"
            },
            {
                "KeyType": "RANGE",
                "AttributeName": "ProductType"
            }
        ],
        "ItemCount": 0,
        "CreationDateTime": 1518461145.962
    }
}

03 Repeat step no. 1 and 2 to enable Server-Side Encryption (SSE) for other new AWS DynamoDB tables during setup process.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Related DynamoDB rules