encryption in dynamodb
All documentation I can find on Dynamo more or less says the following: All tables created with default options are encrypted at rest, and that tables previously unencrypted are now encrypted as well (source: https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-dynamodb-encrypts-all-customer-data-at-rest/)
But in my account, when I run the “DynamoDB tables with disabled SSE” precanned query, I get back DynamoDB tables that are not encrypted at rest.
Am I trying the correct query?
SELECT COUNT(*) WHERE resourceType = 'AWS::DynamoDB::Table' AND configuration.ssedescription.status <> 'ENABLED'
- Newest
- Most votes
- Most comments
Can you try running the describe-table command for the specific table you want to check whether encryption is enabled or not.
Eg : I ran this against one of my table where I have not explicitly enabled encryption. This table has the default encryption ie the key is owned by DynamoDB. And this does not contain the the SSEDescription section.
aws dynamodb describe-table --table-name REFERENCE_DATA --profile LON_NIH_ACC1
{
"Table": {
"AttributeDefinitions": [
{
"AttributeName": "DEVICE-ID",
"AttributeType": "S"
}
],
"TableName": "REFERENCE_DATA",
"KeySchema": [
{
"AttributeName": "DEVICE-ID",
"KeyType": "HASH"
}
],
"TableStatus": "ACTIVE",
"CreationDateTime": "2019-12-18T22:13:24.012000+00:00",
"ProvisionedThroughput": {
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
},
"TableSizeBytes": 220,
"ItemCount": 2,
"TableArn": "arn:aws:dynamodb:eu-west-2:1233444444:table/REFERENCE_DATA",
"TableId": "ea301050-9d37-40de-bc90-8e53c59491c5"
}
}
Next I ran the describe-table against another table where I have opted for KMS - AWS managed CMK . Here as you can see the describe table output has the section SSEDescription
aws dynamodb describe-table --table-name MyTable --profile LON_NIH_ACC1
{
"Table": {
"AttributeDefinitions": [
{
"AttributeName": "somekey",
"AttributeType": "S"
},
{
"AttributeName": "somesortkey",
"AttributeType": "S"
}
],
"TableName": "MyTable",
"KeySchema": [
{
"AttributeName": "somekey",
"KeyType": "HASH"
},
{
"AttributeName": "somesortkey",
"KeyType": "RANGE"
}
],
"TableStatus": "ACTIVE",
"CreationDateTime": "2021-02-18T08:26:15.886000+00:00",
"ProvisionedThroughput": {
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
},
"TableSizeBytes": 0,
"ItemCount": 0,
"TableArn": "arn:aws:dynamodb:eu-west-2:12345555555:table/MyTable",
"TableId": "9ec2c655-5883-4430-833f-c42fed15290a",
"SSEDescription": {
"Status": "ENABLED",
"SSEType": "KMS",
"KMSMasterKeyArn": "arn:aws:kms:eu-west-2:1233445555544:key/d2ddf328-adf1-4322-8a31-49531a9a679b"
}
}
}
And the describe table operation displays the SSEDescription status only when you explicitly opt-in for KMS based encryption. If your table is encrypted using the default option the describe table does not display the SSEDescription status but the table data is encrypted is at rest using the AWS owned CMK. So that means whenever you are not seeing the SSEDescription field in the describe table output then that means that the table is encrypted using the default option.
Only when you opt for KMS based encryption then you would see the following data with your describe table output
"SSEDescription": {
"SSEType": "KMS",
"Status": "ENABLED",
"KMSMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-a123-ab1234a1b234"
},
}
Hence I think your query is returning inconsistent results and you will have to adjust your query to the case where for the default encryption there will be no SSEDescription.status.
Relevant content
- asked 10 months ago
- Accepted Answerasked 5 years ago
AWS OFFICIALUpdated 3 months ago- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
