Amazon DynamoDB

DynamoDB Missing KMS Encryption

This plugin ensures DynamoDB tables are encrypted using a customer-owned KMS key.

Risk Level: Medium

Description

This plugin ensures DynamoDB tables are encrypted using a customer-owned KMS key. DynamoDB tables can be encrypted by using both AWS-owned or customer-owned KMS keys. In order to have a better control and flexibility over data accessibility, customer-managed keys must be used.

About the Service

Amazon DynamoDB: As per the AWS documentation, Amazon DynamoDB is a fully managed, NoSQL database designed to run high-performance applications at any scale. With the high-performing and serverless service, DynamoDB also offers utilities such as built-in security, continuous backups, and data export tools.

Impact

AWS Customer managed keys provide better flexibility to increase encryption level and thus, deliver better security for the DynamoDB tables. The default keys provide a minimal level of security.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the DynamoDB Management Console. You can use this link (https://console.aws.amazon.com/dynamodbv2) to navigate directly if already logged in. 
  3. Move to Tables section from the left navigation pane.
  4. A list of Tables in the region will appear. Select the one you wish to examine by clicking on its Name.
  5. Move to the Additional Settings Tab.
  6. In the Encryption section, click on Manage Encryption.
  7. If the Encryption key is Owned by Amazon dynamDB, the vulnerability exists.
  8. Repeat steps for all the Tables you want to investigate.

Steps for Remediation

Enable DynamoDB table encryption CMK KMS key:

  1. Log In to your AWS Console.
  2. Open the DynamoDB Management Console. You can use this link (https://console.aws.amazon.com/dynamodbv2) to navigate directly if already logged in. 
  3. Move to Tables section from the left navigation pane.
  4. A list of Tables in the region will appear. Select the one you wish to examine by clicking on its Name.
  5. Move to the Additional Settings Tab.
  6. In the Encryption section, click on Manage Encryption.
  7. Select AWS managed CMK and click on Save Changes.
  8. Repeat steps for all the Tables you want to investigate.