Rule: DynamoDB Table Encrypted with AWS KMS
Ensure DynamoDB table is encrypted with AWS KMS for enhanced data security.
| Rule | DynamoDB table should be encrypted with AWS KMS |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that the DynamoDB table is encrypted using AWS Key Management Service (KMS) with compliance to the NIST 800-171 Revision 2 security standards. Encrypting the DynamoDB table adds an extra layer of data protection and helps to prevent unauthorized access and data breaches.
Troubleshooting Steps:
If the DynamoDB table is not encrypted with AWS KMS, follow these steps to troubleshoot the issue:
- 1.Verify if the table is encrypted: Check the encryption status of the DynamoDB table.
- 2.Identify the encryption key: Find out the AWS KMS encryption key associated with the DynamoDB table.
- 3.Confirm the NIST 800-171 Revision 2 compliance: Ensure that the encryption meets the specific requirements outlined in the NIST 800-171 Revision 2 security standards.
- 4.Check the IAM permissions: Verify that the IAM role associated with the DynamoDB table has the necessary permissions to access the AWS KMS encryption key.
- 5.Check the AWS KMS key policy: Review the key policy attached to the AWS KMS encryption key to validate if it allows encryption of the DynamoDB table.
- 6.Generate and review AWS CloudTrail logs: Enable AWS CloudTrail logs for any relevant API calls related to the DynamoDB table encryption. Review the logs to identify any errors or issues during the encryption process.
Necessary Codes:
No specific codes are required for this rule. However, you may need to use AWS CLI or SDKs to interact with the DynamoDB table and AWS KMS.
Step-by-Step Guide for Remediation:
Follow the steps below to encrypt the DynamoDB table with AWS KMS:
- 1.
Identify the DynamoDB table: Determine the DynamoDB table that needs to be encrypted.
- 2.
Create an AWS KMS key: If an appropriate AWS KMS key doesn't exist, create one using the AWS Management Console, AWS CLI, or SDKs. Ensure that the KMS key is compliant with the NIST 800-171 Revision 2 security standards.
- 3.
Update the AWS KMS key policy: Modify the key policy of the AWS KMS key to allow the DynamoDB table to be encrypted. Grant the necessary IAM roles or users the required permissions to access and use the AWS KMS key.
- 4.
Encrypt the DynamoDB table: Use the AWS Management Console, AWS CLI, or SDKs to initiate the encryption process for the DynamoDB table. Select the appropriate AWS KMS key that was created or already available. Follow the prompts or include the necessary parameters to encrypt the table.
- 5.
Verify the encryption status: After initiating the encryption process, check the encryption status of the DynamoDB table to ensure it is encrypted with the AWS KMS key.
- 6.
Test with sample data: Insert or retrieve some sample data from the DynamoDB table to confirm that encryption is functioning as expected.
- 7.
Enable AWS CloudTrail: Enable AWS CloudTrail logs for any relevant API calls related to the DynamoDB table encryption. This will help you monitor and audit any changes or issues with the encryption process.
By following these steps, you can ensure that your DynamoDB table is encrypted using AWS KMS and compliant with the NIST 800-171 Revision 2 security standards.