Rule: DynamoDB Table Encrypted with AWS KMS
Check if DynamoDB table is encrypted with AWS KMS to ensure data security.
| Rule | DynamoDB table should be encrypted with AWS KMS |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description:
The DynamoDB table should be encrypted with AWS Key Management Service (KMS) for compliance with CISA Cyber Essentials.
Troubleshooting Steps:
- 1.Check if the DynamoDB table is using encryption.
- 2.Verify if AWS KMS key is used for encrypting the DynamoDB table.
- 3.Ensure that the KMS key used is compliant with the CISA Cyber Essentials requirements.
- 4.Confirm if the correct permissions are assigned to the KMS key and the DynamoDB table.
Necessary Code:
The following AWS CLI commands can be used to configure encryption for a DynamoDB table using AWS KMS:
aws dynamodb update-table \ --table-name <table-name> \ --sse-specification 'Enabled=true, SSEType=KMS, KMSMasterKeyId=<kms-key-id>'
Step-by-Step Guide:
- 1.Open the AWS Management Console and navigate to the DynamoDB service.
- 2.Select the desired DynamoDB table that needs to be encrypted.
- 3.Click on the "Actions" drop-down menu and choose "Manage encryption".
- 4.In the Encryption configuration section, click on "Edit".
- 5.Select the "AWS Key Management Service (KMS)" option.
- 6.Choose the appropriate KMS key from the "KMS Key ARN" drop-down list.
- 7.Click on "Save changes" to enable encryption using the selected KMS key.
Ensure that the selected KMS key is compliant with the CISA Cyber Essentials requirements to have a secure and compliant configuration.
Note:
Remember to replace
<table-name><kms-key-id>