Ensure DynamoDB Tables are encrypted with customer managed key

Security & Compliance

Ensuring DynamoDB tables are encrypted with customer-managed keys means that data at rest is protected using encryption keys that the user has control over. This is considered best practice because it provides an additional layer of security and allows users to manage their encryption keys according to their own security requirements. When DynamoDB tables are created, they can be encrypted with either an AWS-managed key or a customer-managed key. By default, DynamoDB tables are encrypted with an AWS-managed key.


To ensure DynamoDB tables are encrypted with a customer-managed key, users should follow these remediation steps:

  1. Create a customer-managed KMS key if one does not already exist.
  2. Enable encryption at rest for the DynamoDB table using the customer-managed KMS key.
  3. Verify that the encryption is enabled for the table and that the customer-managed KMS key is being used for encryption.
  4. Migrate any data that is not encrypted to the new encrypted table.
  5. Update the application code to use the new encrypted table.
  6. Remove any old unencrypted tables and data.

Regularly monitoring and reviewing the encryption configuration for DynamoDB tables is also recommended to ensure ongoing compliance with security best practices.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.