AWS DynamoDB encrypted using AWS owned CMK instead of AWS managed CMK
Description
This rule detects whether DynamoDB tables are encrypted at rest and, if so, whether they are using a Customer Managed Key (CMK) for encryption, which provides an added layer of security, rather than the default AWS-owned keys. Encrypting DynamoDB tables with AWS KMS Customer Managed Keys (CMKs) enhances data security by giving you control over the encryption keys. This control enables detailed key management, including key rotation, key policies, and audit capabilities through CloudTrail. Therefore, ensuring DynamoDB tables are encrypted with KMS Customer Managed CMKs is crucial for sensitive data requiring stringent compliance and security standards.
Code Example
resource "aws_dynamodb_table" "example" {
...
server_side_encryption {
+ enabled = true
+ kms_key_arn = aws_kms_key.example.arn
}
}
resource "aws_kms_key" "example" {
description = "KMS key for DynamoDB table encryption"
}Remediation
Terraform
To mitigate this issue, ensure the server_side_encryption configuration is enabled and specifies a KMS Customer Managed CMK.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0172 |
| Severity | INFO |
| IaC Type | Cloudformation |
| Frameworks | Terraform, |
| Checkov ID | CKV_AWS_119 |