Storing sensitive information in dynamodb

0

I have a requirement to store sensitive information in a dynamodb table. The information is entered in client application which sends data to api gateway which then forwards the data to the table. Cognito users for the client app each have a number of entries with different sensitive data in each.

I want to minimise access to this information for people who are not cognito users, for example I do not want to be able to go to the dynamodb console and access the actual value of the data when I look at the table as a developer. Ideally I would like to have the client app perform some actions so that when the data is sent to aws, it is already not human readable but when the client app gets the data back again it can be made readable again.

Is it possible to hide some columns or a whole table from IAM users but have lambda functions still able to access it? Is it possible to encrypt the data using a kms key such that only the client app or cognito users can access that key to encrypt and decrypt the data clientside?

The current solution is to generate a data key for each item and store it alongside the data so that the data is unreadable and users are not responsible for storing and handling the key. However this only leaves one step of separation between the sensitive data with an IAM user able to decrypt the data using the key and view the data. Is there a better solution than this that doesn't result in cognito users being responsible for remembering the encryption key for their data but also prevents IAM users from taking simple steps to view it?

I have seen the response to this post https://repost.aws/questions/QUtBzzrw0jQmGwmPpkeAQLYw/data-redaction-or-mask-in-dynamodb which is about the same issue.

2 Answers
3
Accepted Answer

Is it possible to hide some columns or a whole table from IAM users but have lambda functions still able to access it?

Yes, you can use Fine Grained Access Control

Is it possible to encrypt the data using a kms key such that only the client app or cognito users can access that key to encrypt and decrypt the data clientside?

Each KMS key can have its own access policy, which you can define who has access to what key. You can use the Encryption Client in combination with KMS to encrypt/decrypt sensitive data.

profile pictureAWS
EXPERT
answered a year ago
profile picture
EXPERT
reviewed a year ago
1

I believe that DDB Encryption client allowing client-side encryption is what you're looking for:

https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/what-is-ddb-encrypt.html

The DynamoDB Encryption Client is designed to be implemented in new, unpopulated databases. Encrypting your sensitive data in transit and at rest helps ensure that your plaintext data isn’t available to any third party, including AWS. The DynamoDB Encryption Client is provided free of charge under the Apache 2.0 license.

profile pictureAWS
EXPERT
answered a year ago
  • Thank you for your answer, I have been looking at the encryption client and it does seem to do what I want in terms of encrypting data. However, it seems as though it is using a key (for example from kms) which I will have access to as a developer. This means that I am still able to decrypt the data using that key to view the sensitive information. Do you know if it is possible to solve that problem without forcing the user to be responsible for their encryption key? Can I hide the encryption key from developers?

  • No, if you managed the keys properly with KMS, even the developer won't see the content in the production database. Each KMS key can have its own access policy, where you restrict which principals can use the key or not.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions