Securing Amazon DynamoDB with Server Side Encryption (SSE)

Amazon-DynamoDB-Server-Side-Encryption-SSE

Your Amazon DynamoDB containing sensitive data might be leaked or manipulated if there are no measures taken to ensure that it is secure. It can further hamper your day-to-day database query related operations. It is important for users to realize the importance of securing their DynamoDB tables.

Enabling Amazon DynamoDB Server Side Encryption (SSE)

Data traffic of tables over multiple servers is automatically managed by AWS DynamoDB without compromising on the performance. It also operates and scales distributed database automatically for users. AWS provisions the users to enable SSE (server-side encryption) in order to take measures for data security.

When server-side encryption is used, data is encrypted before getting saved in the database and gets decrypted when the data is retrieved from the database. Server-side encryption uses multi-factor encryption and encrypts each data object with a unique key. AWS DynamoDB encryption at rest helps you secure your application data in DynamoDB tables for further use.

Centilytics provides a useful insight for your DynamoDB tables to help you maintain the security aspect. This insight lists down all your Amazon DynamoDB tables which do not have Server Side Encryption (SSE) enabled.

Insight Descriptions:

There can be two possible scenarios:

Severity Description
OK This indication will be displayed when SSE is enabled.
CRITICAL This indication will be displayed when SSE is disabled.

 

Description of further columns are as follows:

  1. Account Id: This column shows the respective account ID of the user.AWS DynamoDB1
  2. Account Name: This column shows the corresponding account name.AWS DynamoDB3
  3. Region: This column shows the region in which the resource exists.AWS DynamoDB5
  4. Table Name: This column shows the name of the table.AWS DynamoDB6
  5. Table Id: This column shows the unique table Id of your corresponding DynamoDB table.AWS DynamoDB4
  6. Identifier: This column shows the unique ARN or the Amazon Resource Number of your resource which is composed of various parameters to uniquely identify your different resources in AWS.AWS DynamoDB2

Filters Applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Region Applying the region filter will display data corresponding to the selected region
Severity Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.

 

Compliances covered:

Compliance Name Reference No. Link
PCI 3.5.3,3.6.3 https://docs.aws.amazon.com/quickstart/latest/
compliance-pci/welcome.html
HIPAA 164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(ii) https://aws.amazon.com/quickstart/architecture/
compliance-hipaa/
ISO 27001 A.18.1.3, A.18.1.5 https://www.iso.org/standard/54534.html
NIST 800-53 SC-13 https://docs.aws.amazon.com/quickstart/latest/
compliance-nist/welcome.html
GDPR Article 32 https://gdpr-info.eu/

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here