🛡️ AWS DynamoDB Table is not encrypted with a KMS key🟢

Contextual name: 🛡️ Table is not encrypted with a KMS key🟢
ID: /ce/ca/aws/dynamodb/table-encryption
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS DynamoDB Table
- 🔌 AWS DynamoDB Table - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Internal: dec-x-c658697c

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-c658697c	1

Description

Open File

Description

This policy identifies AWS DynamoDB Tables that are not encrypted at rest using an AWS KMS key. By default, all DynamoDB tables are encrypted using server-side encryption with an AWS-owned key. However, for enhanced security and compliance control, tables should be configured to use either a Customer-Managed Key (CMK) or an AWS Managed Key stored in AWS Key Management Service (KMS).

Rationale

Encrypting DynamoDB tables with a KMS key provides several advantages over the default AWS-owned key:

You can manage key lifecycle operations (such as creation, rotation, and access control) directly within AWS KMS.

All key usage is recorded in AWS CloudTrail, providing a detailed audit trail of data access and decryption events.

You can define fine-grained IAM policies on the KMS key to restrict which users or roles can access encrypted data in the table.

Impact

Enabling encryption with a KMS key may incur additional costs associated with AWS KMS usage.

Audit

This policy marks an AWS DynamoDB Table as INCOMPLIANT if SSE: Status field is not set to ENABLED.

... see more

Remediation

Open File

Remediation

Update an Encrypted Table with an AWS Managed Key

From Command Line

To enable encryption at rest using the AWS managed key, run the following command:
aws dynamodb update-table \
  --table-name {{table-name}} \
  --sse-specification Enabled=true,SSEType=KMS
Update an Encrypted Table with a Customer-Managed Key

To enable encryption at rest using a Customer-Managed key (CMK), specify the key ID in the command:
aws dynamodb update-table \
  --table-name {{table-name}} \
  --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId={{kms-key-id}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 52c appropriate encryption, cleansing and auditing of devices;		10	10	no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			14	no data
💼 Cloudaware Framework → 💼 Data Encryption			54	no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		26	27	no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	31	no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		31	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		31	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			159	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		31	33	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	32	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

Update an Encrypted Table with an AWS Managed Key​

From Command Line​

Update an Encrypted Table with a Customer-Managed Key​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

Update an Encrypted Table with an AWS Managed Key

From Command Line

Update an Encrypted Table with a Customer-Managed Key

policy.yaml

Linked Framework Sections