Ensure DynamoDB table is encrypted with AWS Key Management Service for enhanced security.
Rule | DynamoDB table should be encrypted with AWS KMS |
Framework | GxP EU Annex 11 |
Severity | ✔ Medium |
DynamoDB Table Encryption with AWS KMS for GxP EU Annex 11 Compliance
Overview
Good Practice (GxP) regulations, including EU Annex 11, provide guidelines to ensure that pharmaceutical products maintain their quality and integrity. When using AWS DynamoDB to store data that falls under GxP criteria, particularly in the EU region, it's necessary to secure the data at rest using encryption. AWS Key Management Service (KMS) is the recommended solution for this purpose. This guide details the steps for applying AWS KMS encryption on a DynamoDB table to maintain compliance with EU Annex 11.
Preconditions
Before you proceed, ensure you have the following:
Step 1: Identify or Create a KMS Key
AWS Management Console
AWS CLI
aws kms create-key --description "DynamoDB GxP EU Annex 11 encryption"
Take note of the returned
KeyId
for use in encrypting your DynamoDB table.Step 2: Encrypt DynamoDB Table With AWS KMS
AWS Management Console
AWS CLI
Encrypting a New Table
aws dynamodb create-table --table-name YourTableName --attribute-definitions ... --key-schema ... --provisioned-throughput ... --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=alias/YourKeyAlias
Replace
YourTableName
, attribute-definitions
, key-schema
, and provisioned-throughput
with the table details and replace YourKeyAlias
with the alias of the key created in the previous step.Encrypting an Existing Table
Currently, you cannot directly apply KMS encryption to an existing table that wasn't encrypted with a customer managed KMS key. You would need to create a new table with encryption and migrate your data.
Step 3: Verify Table Encryption
AWS Management Console
AWS CLI
aws dynamodb describe-table --table-name YourTableName
Check the response
SSEDescription
field to confirm the KMS key usage.Troubleshooting Steps
If you encounter issues, check the following:
Remediation
If you have an existing table not using KMS, remediate by:
This guide contains precise information for configuring DynamoDB encryption with AWS KMS to align with GxP EU Annex 11 compliance. Ensure to keep the CLI commands and console navigation steps updated as AWS enhances their services.