AWS KMS Customer Master Keys for Table Encryption

Risk level: High (not acceptable risk)

Rule ID: DynamoDB-004

Ensure that your Amazon DynamoDB tables are using AWS-managed Customer Master Keys (CMKs) instead of AWS-owned CMKs for Server-Side Encryption (SSE), in order to meet strict encryption compliance and regulatory requirements. DynamoDB has added support to enable you to switch from AWS-owned CMKs to customer-managed CMKs managed by Amazon Key Management Service (KMS), without having to implement any code or application changes to encrypt your data.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Organizational policies, industry or government regulations, and internal compliance requirements often require the use of Server-Side Encryption (SSE) using AWS-managed KMS Customer Master Keys (CMKs) to enhance the data security of your Amazon DynamoDB-based applications. Unlike the AWS-owned key, with AWS-managed CMK you can view the CMK and its key policy and audit the encryption and decryption of your DynamoDB data by examining the DynamoDB API calls to Amazon KMS using AWS CloudTrail.

Audit

To determine the Server-Side Encryption (SSE) type configured for your AWS DynamoDB tables, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables.

04 Select the DynamoDB table that you want to examine.

05 Select the Overview tab to access the DynamoDB resource details panel.

06 On the Overview panel, within Table details section, check the Encryption Type attribute value. If the configuration attribute value is set to DEFAULT, the selected Amazon DynamoDB table is configured to use AWS-owned Customer Master Keys (CMKs) for Server-Side Encryption.

07 Repeat steps no. 4 – 6 to verify the Server-Side Encryption (SSE) type for other Amazon DynamoDB tables available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) using custom query filters to list the names of all DynamoDB tables created in the selected AWS region:

aws dynamodb list-tables
	--region us-east-1
	--output table
	--query 'TableNames'

02 The command output should return the requested AWS DynamoDB table names:

------------------------
|      ListTables      |
+----------------------+
| cc-rule-definitions  |
| cc-rule-capabilities |
+----------------------+

03 Run describe-table command (OSX/Linux/UNIX) using the name of the DynamoDB table that you want to examine as identifier and custom query filters to expose the Server-Side Encryption type set for the selected Amazon DynamoDB table:

aws dynamodb describe-table
	--region us-east-1
	--table-name cc-rule-definitions
	--query 'Table.SSEDescription.SSEType'

04 The command output should return the Server-Side Encryption (SSE) type:

AES256

If describe-table command output returns AES256 instead of KMS, as shown in the example above, the selected Amazon DynamoDB table is configured to use AWS-owned Customer Master Keys instead of AWS-managed CMKs for Server-Side Encryption.

05 Repeat step no. 3 and 4 to determine the Server-Side Encryption (SSE) type for other AWS DynamoDB tables available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To reconfigure your existing Amazon DynamoDB tables to use AWS-managed Customer Master Keys (CMKs) for Server-Side Encryption (i.e. encryption at rest), perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables to access the existing DynamoDB tables.

04 Select the Amazon DynamoDB table that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Overview tab to access the resource details panel.

06 On the Overview panel, within Table details section, click the Manage Encryption link available next to Encryption Type.

07 Inside Manage Encryption dialog box, select KMS to configure Server-Side Encryption (SSE) to use an AWS-managed CMK for data-at-rest encryption. Click Save to apply the changes. Once the changes are applied, the Encryption Type configuration attribute value should change to KMS.

08 Repeat steps no. 4 – 7 to configure Server-Side Encryption (SSE) with AWS-managed Customer Master Keys (CMKs) for other Amazon DynamoDB tables available in the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-table command (OSX/Linux/UNIX) using the name of the DynamoDB table that you want to reconfigure as identifier (see Audit section part II to identify the right resource) to update the selected Amazon DynamoDB table to use the AWS-managed CMK for Server-Side Encryption (SSE). Replace the ARN set as value for the KMSMasterKeyId parameter with the ARN of the AWS-managed Customer Master Key (i.e. aws/dynamodb):

aws dynamodb update-table
	--region us-east-1
	--table-name cc-rule-definitions
	--sse-specification Enabled=true,SSEType="KMS",KMSMasterKeyId="arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

02 The command output should return the metadata for the modified AWS DynamoDB table:

{
    "TableDescription": {
        "TableArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-rule-definitions",
        "AttributeDefinitions": [
            {
                "AttributeName": "RuleName",
                "AttributeType": "S"
            },
            {
                "AttributeName": "RuleType",
                "AttributeType": "S"
            }
        ],
        "ProvisionedThroughput": {
            "NumberOfDecreasesToday": 2,
            "WriteCapacityUnits": 5,
            "ReadCapacityUnits": 5
        },
        "TableName": "cc-rule-definitions",
 
        ...
 
        "SSEDescription": {
		"Status": "ENABLED",
		"SSEType": "KMS",
		"KMSMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
        },
        "KeySchema": [
            {
                "KeyType": "HASH",
                "AttributeName": "RuleName"
            },
            {
                "KeyType": "RANGE",
                "AttributeName": "RuleType"
            }
        ]
    }
}

03 Repeat step no. 1 and 2 to configure Server-Side Encryption (SSE) with AWS-managed Customer Master Keys (CMKs) for other Amazon DynamoDB tables available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

AWS Command Line Interface (CLI) Documentation
dynamodb
list-tables
describe-table
update-table

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

AWS KMS Customer Master Keys for Table Encryption

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related DynamoDB rules