Secure encryption of confidential information in DynamoDB
resource "aws_dynamodb_table" "basic-dynamodb-table" {
name = "GameScores"
billing_mode = "PROVISIONED"
read_capacity = 20
write_capacity = 20
hash_key = "UserId"
range_key = "GameTitle"
attribute {
name = "UserId"
type = "N"
}
attribute {
name = "GameTitle"
type = "S"
}
}
The vulnerable code above demonstrates a DynamoDB table being created without any encryption specified. The
aws_dynamodb_table resource block does not include the
server_side_encryption argument which is used to enable server-side encryption using an AWS managed KMS key or a Customer managed KMS key (CMK).
Because encryption is not specified, the DynamoDB table will use the default AWS managed KMS key for server-side encryption. This default key does not provide the same level of control and security as a CMK.
For example, with a CMK, you can create, rotate, disable, and define access controls, and you can audit the encryption keys used to protect your data. Also, AWS does not have access to your CMKs, which means the data is securely protected.
Therefore, the code is vulnerable as it does not use a CMK for encryption, potentially leading to unauthorized access or data breaches.
resource "aws_kms_key" "dynamodb" {
description = "KMS key for DynamoDB"
policy = <
The above code first creates a Customer Managed Key (CMK) using the
aws_kms_key resource. This key is then used to encrypt the DynamoDB table by specifying the
kms_key_arn attribute in the
aws_dynamodb_table resource.
The
aws_kms_key resource creates a new KMS key with a policy that allows all KMS actions for the root user of the AWS account. The ARN of the created key is then used in the
aws_dynamodb_table resource to enable server-side encryption using the created CMK.
This ensures that all data stored in the DynamoDB table is encrypted using the specified CMK, thereby fixing the vulnerability of non-encrypted confidential information.