DynamoDB table not encrypted
This product is not supported for your selected
Datadog site. (
).
Id: 4bd21e68-38c1-4d58-acdc-6a14b203237f
Cloud Provider: AWS
Platform: CloudFormation
Severity: High
Category: Encryption
Learn More
Description
DynamoDB tables must have server-side encryption enabled to protect data at rest and prevent unauthorized access to table contents, backups, and snapshots. In CloudFormation, the AWS::DynamoDB::Table resource must set Properties.SSESpecification.SSEEnabled to true. Resources that omit SSESpecification.SSEEnabled or have SSEEnabled set to false will be flagged.
Secure configuration example:
MyDynamoTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: my-table
SSESpecification:
SSEEnabled: true
SSEType: AES256
Compliant Code Examples
Resources:
MyDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: my-table
AttributeDefinitions:
- AttributeName: id
AttributeType: N
- AttributeName: name
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
SSESpecification:
SSEEnabled: true
Non-Compliant Code Examples
Resources:
MyDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: my-table
AttributeDefinitions:
- AttributeName: id
AttributeType: N
- AttributeName: name
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
SSESpecification:
SSEType: KMS
Resources:
MyDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: my-table
AttributeDefinitions:
- AttributeName: id
AttributeType: N
- AttributeName: name
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
SSESpecification:
SSEEnabled: false
