DynamoDB table is not encrypted with a customer-managed CMK
Checks for use of customer-managed CMKs to help protect sensitive applications, adhere to your organization’s policies, meet compliance and regulatory requirements, and maintain an additional secure copy of your encryption keys outside of AWS.
Severity: INFO Interval: 1 day
Why do I see this?
You are still using the default AWS owned Customer Master Key (CMK) or an AWS-managed CMK to encrypt your DynamoDB tables.
What does this mean?
DynamoDB tables are encrypted by default, but if you don’t specify a customer-managed CMK, you are using AWS’s keys. While this is cheaper and moves much of the encryption-related work like key rotation etc., to AWS, it gives you less control over your security.
Bringing your own Customer Master Keys (CMKs) helps with:
- Protecting sensitive applications.
- Adhering to your organization’s policies.
- Meeting compliance and regulatory requirements.
- Maintaining an additional secure copy of your encryption keys outside of AWS.
When you specify a customer-managed CMK as the table-level encryption key, your DynamoDB table, local and global secondary indexes, and streams are encrypted with the same customer-managed CMK.
On-demand backups are encrypted with the table-level encryption key specified when the backups were created.
How do I fix this?
You can use a customer-managed CMK to encrypt your data in one step in the AWS Management Console, with a simple API call or the AWS CLI.
This rule resolution is part of the Dashbird Serverless Well Architected Reports tool for AWS. Dashbird features a collection of rules and checks continuously applied to your infrastructure, surfacing ways to improve it.
Find and fix other errors and anomalies in DynamoDB.