LOW
Source
Trivy/CSPM
CSPM ID
dynamodb-kms-encryption
ID
AVD-AWS-0025

DynamoDB tables should use at rest encryption with a Customer Managed Key

DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.

Impact

Using AWS managed keys does not allow for fine grained control

Follow the appropriate remediation steps below to resolve the issue.

Enable server side encryption with a customer managed key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
resource "aws_kms_key" "dynamo_db_kms" {
  enable_key_rotation = true
}

resource "aws_dynamodb_table" "good_example" {
  name             = "example"
  hash_key         = "TestTableHashKey"
  billing_mode     = "PAY_PER_REQUEST"
  stream_enabled   = true
  stream_view_type = "NEW_AND_OLD_IMAGES"
  
  attribute {
    name = "TestTableHashKey"
    type = "S"
  }
  
  replica {
    region_name = "us-east-2"
  }
  
  replica {
    region_name = "us-west-2"
  }
  
  server_side_encryption {
    enabled     = true
    kms_key_arn = aws_kms_key.dynamo_db_kms.key_id
  }
}