Rule: DynamoDB Table Encrypted with AWS KMS
Ensure DynamoDB table is encrypted with AWS Key Management Service for enhanced security.
| Rule | DynamoDB table should be encrypted with AWS KMS |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Medium |
Rule Description
In order to comply with the GxP 21 CFR Part 11 regulations and ensure the security of sensitive data stored in DynamoDB tables, it is required to enable encryption using AWS Key Management Service (KMS).
Troubleshooting Steps
If there are any issues or errors encountered while encrypting a DynamoDB table with AWS KMS, you can follow these troubleshooting steps:
- 1.
Verify AWS KMS key permissions: Ensure that the IAM role or user performing the encryption operation has the necessary permissions to access and use the desired AWS KMS key for encryption. Check if the key policy allows the encryption action for the role or user.
- 2.
Check AWS KMS key status: Validate if the AWS KMS key being used for encryption is in the Enabled state. If not, enable the key and retry the encryption process.
- 3.
Confirm DynamoDB table existence: Ensure that the DynamoDB table you are trying to encrypt actually exists. Check the table name and ensure it is spelled correctly.
- 4.
Review IAM role permissions: Double-check if the IAM role or user attempting to perform the encryption operation has the required IAM permissions such as
,dynamodb:Encrypt
, anddynamodb:DescribeTable
.kms:Encrypt - 5.
Verify AWS Region: Make sure that the DynamoDB table and the AWS KMS key are in the same AWS Region. Encryption with AWS KMS requires the DynamoDB table and KMS key to be in the same region.
Configuration Steps
To encrypt a DynamoDB table with AWS KMS for GxP 21 CFR Part 11 compliance, follow these step-by-step instructions:
- 1.
Open the AWS Management Console and navigate to the DynamoDB service.
- 2.
Select the desired DynamoDB table that needs to be encrypted.
- 3.
In the "Table details" section, click on the "Manage encryption" button.
- 4.
On the "Encryption" page, choose the option to enable encryption. Select AWS Key Management Service (KMS) as the encryption type.
- 5.
In the "Master Key" dropdown menu, select the appropriate AWS KMS key that aligns with the GxP 21 CFR Part 11 requirements.
- 6.
Click the "Save changes" button to enable encryption on the DynamoDB table.
Verification Steps
To verify if the DynamoDB table is encrypted with AWS KMS, follow these steps:
- 1.
Go to the AWS Management Console and navigate to the DynamoDB service.
- 2.
Find and select the encrypted DynamoDB table.
- 3.
In the "Table details" section, check if the encryption is enabled and the AWS KMS key specified is the one required for GxP 21 CFR Part 11 compliance.
Example Code
There is no specific code example for this rule as the encryption configuration is applied through the AWS Management Console. However, for programmatic control, you can use AWS SDKs to set the encryption settings for DynamoDB tables using the respective programming language.
Remember to replace
<table-name>import boto3 ddb_client = boto3.client('dynamodb') table_name = '<table-name>' response = ddb_client.update_table( TableName=table_name, SSESpecification={ 'Enabled': True, 'SSEType': 'KMS', 'KMSMasterKeyId': '<kms-key-id>' } ) print(f"Encryption status: {response['TableDescription']['SSEDescription']['Status']}")
Note: Update
<kms-key-id>Ensure that you have the necessary IAM permissions to run this code and replace the appropriate placeholders.
Remediation
If the DynamoDB table is not currently encrypted with AWS KMS, follow the configuration steps mentioned above to enable encryption for GxP 21 CFR Part 11 compliance. Verify the encryption status after the changes to ensure successful remediation.
Additionally, ensure that any new tables created in the future also follow the encryption requirements by enabling encryption with AWS KMS during the table creation process.