Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: DynamoDB Table Encrypted with AWS KMS

Ensure that DynamoDB table is encrypted using AWS Key Management Service (KMS) for enhanced security.

RuleDynamoDB table should be encrypted with AWS KMS
FrameworkCISA-cyber-essentials
Severity
Medium

DynamoDB Table Encryption Rule for CISA Cyber Essentials

Description:

To comply with the CISA Cyber Essentials framework, all DynamoDB tables should be encrypted using AWS Key Management Service (KMS). Encryption with AWS KMS provides an additional layer of security to protect sensitive data stored in DynamoDB tables.

Troubleshooting Steps:

If there are any issues with encrypting a DynamoDB table with AWS KMS, follow the troubleshooting steps below:

  1. 1.

    Verify IAM Role Permissions: Ensure that the IAM role used to access DynamoDB has sufficient permissions to interact with AWS KMS encryption. The role should have the necessary decryption and encryption permissions along with DynamoDB operations permissions.

  2. 2.

    Check KMS Key Policy: Confirm that the Key Management Service (KMS) key used for encryption has the correct key policy attached. The key policy should allow encryption and decryption operations for the IAM role mentioned in the DynamoDB encryption configuration.

  3. 3.

    Review DynamoDB Table Configuration: Double-check the DynamoDB table configuration to ensure that the appropriate encryption settings are applied. Verify that the encryption option is enabled and set to use AWS KMS as the encryption provider.

  4. 4.

    Check AWS Region Compatibility: Confirm that both the DynamoDB table and the KMS key are in the same AWS region. DynamoDB and KMS operate within specific regions, so cross-region configurations may cause encryption-related issues.

  5. 5.

    Examine AWS KMS Service Limit: If there are multiple DynamoDB tables being encrypted, check if the AWS KMS service limit for active keys has been reached. If the limit is exceeded, you may need to request a limit increase.

Necessary Codes:

No specific codes are required for this encryption rule. The encryption configuration can be managed through the AWS Management Console or AWS CLI.

Step-by-step Guide for Encryption using AWS Management Console:

  1. 1.
    Login to the AWS Management Console.
  2. 2.
    Navigate to the DynamoDB section.
  3. 3.
    Select the relevant DynamoDB table that needs to be encrypted.
  4. 4.
    Click on the "Encryption" tab or section within the table configuration.
  5. 5.
    Enable the encryption option and select "AWS Key Management Service (KMS)" as the encryption provider.
  6. 6.
    Choose the desired AWS KMS key from the available list or create a new KMS key if needed.
  7. 7.
    Save the changes to apply encryption to the DynamoDB table.

Step-by-step Guide for Encryption using AWS CLI:

  1. 1.
    Install and configure the AWS CLI if not already done.
  2. 2.
    Open the terminal or command prompt.
  3. 3.
    Run the following command to enable encryption on the DynamoDB table:
aws dynamodb update-table --table-name <table-name> --sse-specification Enabled=true, SSEType=KMS, KMSMasterKeyId=<kms-key-id>

Replace

<table-name>
with the actual name of the DynamoDB table and
<kms-key-id>
with the ARN or Key ID of the desired KMS key. If the KMS key does not exist, create it using the AWS CLI or AWS Management Console.

  1. 1.
    Once the command is executed successfully, the DynamoDB table will be encrypted using AWS KMS.

Note: Ensure that the AWS CLI has appropriate IAM credentials with permissions to update the DynamoDB table encryption and interact with KMS.

Please note that these instructions are a general guideline and may vary depending on your specific environment and requirements. It is always recommended to refer to official AWS documentation and consult with an AWS expert for accurate implementation.

Is your System Free of Underlying Vulnerabilities?
Find Out Now