DynamoDB table replica does not use CMK KMS encryption
Description
This policy is ensuring that the replica of a DynamoDB table is encrypted using a Customer Managed Key (CMK) under Key Management Service (KMS). It's crucial since it affirms that a user has direct control over the cryptographic keys used for encryption, which gives them granular control over who can use the keys and for what. If the unique keys are not managed by the user, it can lead to unauthorized access or breaches, posing significant security risks.
Code Example
hcl
resource "aws_dynamodb_table_replica" "pass" {
provider = "aws.alt"
global_table_arn = aws_dynamodb_table.pass.arn
kms_key_arn = aws_kms_key.test.arn
tags = {
Name = "taggy"
}
}Remediation
Terraform
- Resource: aws_dynamodb_table_replica
- Arguments: kms_key_arn
To fix this issue, you should ensure that DynamoDB global tables use a Customer Managed Key (CMK) for encryption rather than the default Amazon Managed Key. This can be done by specifying the `aws_kms_key_id` property.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0319 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_271 |