More Info:

Amazon DynamoDB tables should be using AWS-managed Customer Master Keys (CMKs) instead of AWS-owned CMKs for Server-Side Encryption (SSE), in order to meet strict encryption compliance and regulatory requirements. DynamoDB supports to switch from AWS-owned CMKs to customer-managed CMKs managed using Amazon Key Management Service (KMS), without any code to encrypt the data.

Risk Level

High

Address

Security

Compliance Standards

SOC2, GDPR, HIPAA, NIST, ISO27001

Remediation

How to reconfigure existing DynamoDB tables to use AWS-managed CMKs for Server-Side Encryption?

Using AWS Console

  1. Open the AWS Management Console and navigate to the DynamoDB service.
  2. Select the desired DynamoDB table that you want to reconfigure. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “AWS DynamoDB Tables Should Use KMS CMKs for Encryption” Policy.)
  3. Click on the “Manage DynamoDB” button or access the table configuration settings.
  4. In the table configuration settings, locate the “Encryption” section.
  5. Check if the table is already encrypted. If it is not, proceed to the next step.
  6. Click on the “Edit” button or the appropriate option to modify the encryption settings.
  7. In the encryption settings, choose the option to enable encryption and select “AWS managed key” as the encryption type.
  8. From the drop-down menu, select the AWS-managed CMK that you want to use for server-side encryption.
  9. Review any additional encryption-related settings, such as the type of encryption algorithm.
  10. Save the changes to apply the new encryption configuration to the DynamoDB table.

Additional Reading: