Skip to content

AWS KMS Used for DynamoDB

Description

AWS DynamoDB encrypts all data at rest within the service. By default, the service uses an AWS owned and managed key. DynamoDB Tables should be configured to use AWS Key Management Service (KMS) Customer Master Keys (CMKs) to encrypt your data at rest with a key that is unique to your account. Usage of CMKs can be audited and associated metadata, such as key rotation, is discoverable.

Rationale

Encryption at rest is required by many standards and organizational policies. By default, DynamoDB encrypts data with a customer master key (CMK) owned by the DynamoDB service, at no extra charge. You may optionally use a CMK managed by AWS Key Management Service (KMS), which stores the key in your account. The third option is to use a customer managed CMK, which stores the key in your account, and is created, owned and managed by you.

If you delete a KMS key from your account, then the data stored in DynamoDB will be inaccessible to anyone, including AWS.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service dynamodb

Default Rule

const {isAwsDynamoDb} = aws
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if a customer managed CMK is used for encryption at rest
 */
function validate(databaseSettings) {
    const expectedValue = "KMS"
    const success = isAwsDynamoDb(databaseSettings) &&
        databaseSettings.awsDatabaseInstance.dynamoDbInstance.sseDescription &&
        databaseSettings.awsDatabaseInstance.dynamoDbInstance.sseDescription.sseType === expectedValue

    return {
        success,
    }
}

// invoke
validate(databaseSettings);