DynamoDB table is not encrypted with a customer-managed CMK

Checks for use of customer-managed CMKs to help protect sensitive applications, adhere to your organization’s policies, meet compliance and regulatory requirements, and maintain an additional secure copy of your encryption keys outside of AWS.

Dashbird continuously monitors and analyses your serverless applications to ensure reliability, cost and performance optimisation and alignment with the Well Architected Framework.

Product Features Start Free Trial
Severity: INFO
Interval: 1 day

Why do I see this?

You are still using the default AWS owned Customer Master Key (CMK) or an AWS-managed CMK to encrypt your DynamoDB tables.

What does this mean?

DynamoDB tables are encrypted by default, but if you don’t specify a customer-managed CMK, you are using AWS’s keys. While this is cheaper and moves much of the encryption-related work like key rotation etc., to AWS, it gives you less control over your security.

Bringing your own Customer Master Keys (CMKs) helps with:

  • Protecting sensitive applications.
  • Adhering to your organization’s policies.
  • Meeting compliance and regulatory requirements.
  • Maintaining an additional secure copy of your encryption keys outside of AWS.

When you specify a customer-managed CMK as the table-level encryption key, your DynamoDB table, local and global secondary indexes, and streams are encrypted with the same customer-managed CMK.

On-demand backups are encrypted with the table-level encryption key specified when the backups were created.

How do I fix this?

You can use a customer-managed CMK to encrypt your data in one step in the AWS Management Console, with a simple API call or the AWS CLI.

This rule resolution is part of the Dashbird Serverless Well Architected Reports tool for AWS. Dashbird features a collection of rules and checks continuously applied to your infrastructure, surfacing ways to improve it.

Find and fix other errors and anomalies in DynamoDB.

Industry leader in serverless monitoring

Dashbird is a monitoring, debugging and intelligence platform designed to help serverless developers build, operate, improve, and scale their modern cloud applications on AWS environment securely and with ease.