Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: DynamoDB Table Encrypted with AWS KMS

Ensure DynamoDB table is encrypted with AWS Key Management Service for enhanced security.

RuleDynamoDB table should be encrypted with AWS KMS
FrameworkGxP EU Annex 11
Severity
Medium

DynamoDB Table Encryption with AWS KMS for GxP EU Annex 11 Compliance

Overview

Good Practice (GxP) regulations, including EU Annex 11, provide guidelines to ensure that pharmaceutical products maintain their quality and integrity. When using AWS DynamoDB to store data that falls under GxP criteria, particularly in the EU region, it's necessary to secure the data at rest using encryption. AWS Key Management Service (KMS) is the recommended solution for this purpose. This guide details the steps for applying AWS KMS encryption on a DynamoDB table to maintain compliance with EU Annex 11.

Preconditions

Before you proceed, ensure you have the following:

  • An AWS account with the necessary permissions to manage DynamoDB and KMS.
  • AWS CLI installed and configured with access to the concerned AWS environment.

Step 1: Identify or Create a KMS Key

AWS Management Console

  1. 1.
    Go to the AWS KMS console.
  2. 2.
    Choose "Customer managed keys" from the sidebar.
  3. 3.
    Click "Create a key".
  4. 4.
    Select "Symmetric" key type.
  5. 5.
    Add aliases and descriptions to identify the key.
  6. 6.
    Define key administrative and usage permissions.
  7. 7.
    Finish key creation.

AWS CLI

aws kms create-key --description "DynamoDB GxP EU Annex 11 encryption"

Take note of the returned

KeyId
for use in encrypting your DynamoDB table.

Step 2: Encrypt DynamoDB Table With AWS KMS

AWS Management Console

  1. 1.
    Navigate to the DynamoDB console.
  2. 2.
    Choose the table you wish to encrypt or create a new one.
  3. 3.
    In the "Overview" tab, go to the "Table details" section.
  4. 4.
    Look for the "Encryption" setting; if the table is already created, by default, it uses the AWS owned key.
  5. 5.
    To modify it to use a customer managed key, you need to recreate the table with the desired KMS key.

AWS CLI

Encrypting a New Table

aws dynamodb create-table --table-name YourTableName --attribute-definitions ... --key-schema ... --provisioned-throughput ... --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=alias/YourKeyAlias

Replace

YourTableName
,
attribute-definitions
,
key-schema
, and
provisioned-throughput
with the table details and replace
YourKeyAlias
with the alias of the key created in the previous step.

Encrypting an Existing Table

Currently, you cannot directly apply KMS encryption to an existing table that wasn't encrypted with a customer managed KMS key. You would need to create a new table with encryption and migrate your data.

Step 3: Verify Table Encryption

AWS Management Console

  1. 1.
    Open the DynamoDB console.
  2. 2.
    Select the table.
  3. 3.
    Under the "Overview" tab, verify that the "Encryption" details show the KMS key used.

AWS CLI

aws dynamodb describe-table --table-name YourTableName

Check the response

SSEDescription
field to confirm the KMS key usage.

Troubleshooting Steps

If you encounter issues, check the following:

  • Ensure that you have the necessary permissions to create and manage KMS keys and DynamoDB tables.
  • Verify that the AWS region supports the desired KMS key type.
  • Confirm that the rate limits for KMS API requests are not exceeded.
  • Review any IAM policies and resource-based policies that could affect access.

Remediation

If you have an existing table not using KMS, remediate by:

  • Exporting the data from the existing table.
  • Creating a new encrypted table as per the steps mentioned.
  • Importing the data into the new table.

This guide contains precise information for configuring DynamoDB encryption with AWS KMS to align with GxP EU Annex 11 compliance. Ensure to keep the CLI commands and console navigation steps updated as AWS enhances their services.

Is your System Free of Underlying Vulnerabilities?
Find Out Now