AWS DynamoDB Tables Should Use KMS CMKs for Encryption
More Info:
Amazon DynamoDB tables should be using AWS-managed Customer Master Keys (CMKs) instead of AWS-owned CMKs for Server-Side Encryption (SSE), in order to meet strict encryption compliance and regulatory requirements. DynamoDB supports to switch from AWS-owned CMKs to customer-managed CMKs managed using Amazon Key Management Service (KMS), without any code to encrypt the data.Risk Level
MediumAddress
SecurityCompliance Standards
HIPAA, NIST, SOC2, GDPR, ISO27001Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of AWS DynamoDB tables not using KMS CMKs for encryption, you can follow these steps using the AWS Management Console:
- Sign in to the AWS Management Console: Go to the AWS Management Console and sign in to your account.
- Navigate to DynamoDB: From the services menu, select DynamoDB to access the DynamoDB dashboard.
- Select the DynamoDB Table: Locate the DynamoDB table that you want to remediate and click on its name to open the table details.
- Configure Encryption: In the table details, click on the “Manage” tab and then select the “Encryption” option.
- Enable Server-Side Encryption: In the Encryption settings, select the option to enable server-side encryption.
- Choose KMS CMK: Choose the option to use a KMS key to encrypt the DynamoDB table. You can either select an existing KMS CMK or create a new one.
- Save Changes: Once you have selected the appropriate KMS CMK, save the changes to apply the encryption settings to the DynamoDB table.
- Verify Encryption: After saving the changes, verify that the encryption settings have been successfully applied to the DynamoDB table.
Using CLI
Using CLI
To remediate the misconfiguration of AWS DynamoDB tables not using KMS CMKs for encryption, you can follow these steps using AWS CLI:
-
List DynamoDB tables without KMS encryption:
Run the following command to list all DynamoDB tables that do not use KMS encryption:
-
Enable encryption with KMS CMK for DynamoDB table:
For each DynamoDB table that does not use KMS encryption, you can enable encryption with a KMS CMK by following these steps:
- Identify the KMS Key ID that you want to use for encryption. You can list the available KMS keys using:
- Update the DynamoDB table to enable encryption with the chosen KMS key. Replace
TABLE_NAMEandKMS_KEY_IDwith your actual values:
- Identify the KMS Key ID that you want to use for encryption. You can list the available KMS keys using:
-
Verify encryption status:
You can verify that encryption with KMS CMK has been enabled for the DynamoDB table by describing the table:
- Repeat for other DynamoDB tables: Repeat steps 2 and 3 for each DynamoDB table that does not use KMS encryption.
Using Python
Using Python
To remediate the misconfiguration of AWS DynamoDB tables not using KMS CMKs for encryption, you can follow these steps using Python and the AWS SDK (boto3):
- Install the AWS SDK for Python (boto3) if you haven’t already:
- Use the following Python script to update the encryption settings for your DynamoDB tables to use a KMS Customer Master Key (CMK) for encryption:
-
Replace
'YOUR_KMS_CMK_ARN'with the ARN of the KMS CMK that you want to use for encryption. - Run the Python script to update the encryption settings for all DynamoDB tables in your AWS account to use the specified KMS CMK for encryption.