Ensure that your Amazon DynamoDB tables are using AWS-managed Customer Master Keys (CMKs) instead of AWS-owned CMKs for Server-Side Encryption (SSE), in order to meet strict encryption compliance and regulatory requirements. DynamoDB has added support to enable you to switch from AWS-owned CMKs to customer-managed CMKs managed by Amazon Key Management Service (KMS), without having to implement any code or application changes to encrypt your data.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Organizational policies, industry or government regulations, and internal compliance requirements often require the use of Server-Side Encryption (SSE) using AWS-managed KMS Customer Master Keys (CMKs) to enhance the data security of your Amazon DynamoDB-based applications. Unlike the AWS-owned key, with AWS-managed CMK you can view the CMK and its key policy and audit the encryption and decryption of your DynamoDB data by examining the DynamoDB API calls to Amazon KMS using AWS CloudTrail.
To determine the Server-Side Encryption (SSE) type configured for your AWS DynamoDB tables, perform the following actions:
Remediation / Resolution
To reconfigure your existing Amazon DynamoDB tables to use AWS-managed Customer Master Keys (CMKs) for Server-Side Encryption (i.e. encryption at rest), perform the following actions:
- AWS Documentation
- Amazon DynamoDB FAQs
- Amazon DynamoDB Encryption at Rest
- Encryption at Rest: How It Works
- Managing Encrypted Tables
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
AWS KMS Customer Master Keys for Table Encryption
Risk level: High