AWS-DynamoDB-Default-KMS-Encryption

Severity: High

Description: This control ensures that AWS DynamoDB tables are not configured using DEFAULT encryption. Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. AWS DynamoDB provides encryption at rest through DEFAULT( DynamoDB managed key), KMS (Customer managed CMK), KMS (AWS managed CMK) .

Remediation Steps:

Perform following to set CMK for DynamoDB :

1. Login to the AWS Management Console at https://console.aws.amazon.com

2. Go to Secret Manager in services

3. Click on the secret to be modified.

4. Click on Actions and select Edit encryption key.

5. Select an appropriate KMS Customer Managed Key (CMK) from the list.

6. Check Create new version of secret with new encryption key option.

7. Click Save.

Important:

Reference:

• https://docs.aws.amazon.com/cli/latest/reference/dynamodb/update-table.html

• https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/data-protection.html