Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Dynamodb >

Table Customer Key

LOW
Source
Trivy/CSPM
CSPM ID
dynamodb-kms-encryption
ID
AVD-AWS-0025
terraform

DynamoDB tables should use at rest encryption with a Customer Managed Key

Using AWS managed keys does not allow for fine grained control. DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Enable server side encryption with a customer managed key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

resource "aws_kms_key" "dynamo_db_kms" {
  enable_key_rotation = true
}

resource "aws_dynamodb_table" "good_example" {
  name = "example"
  server_side_encryption {
    enabled     = true
    kms_key_arn = aws_kms_key.dynamo_db_kms.key_id
  }
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use