DynamoDB With Aws Owned CMK
- Query id: c8dee387-a2e6-4a73-a942-183c975549ac
- Query name: DynamoDB With Aws Owned CMK
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- CWE: Ongoing
- URL: Github
Description¶
AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample CloudFormation template for DynamoDB with AWS-Owned CMK
Resources:
DynamoDBOnDemandTable2:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: "dynamodb-kms-0"
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
BillingMode: PAY_PER_REQUEST
SSESpecification:
SSEEnabled: false
SSEType: "KMS"
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-11"
Description: Sample CloudFormation template for DynamoDB with AWS-Owned CMK
Resources:
DynamoDBOnDemandTable4:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: "dynamodb-kms-2"
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
BillingMode: PAY_PER_REQUEST
SSESpecification:
SSEType: "KMS"
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-10"
Description: Sample CloudFormation template for DynamoDB with AWS-Owned CMK
Resources:
DynamoDBOnDemandTable5:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: "dynamodb-kms-3"
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
BillingMode: PAY_PER_REQUEST
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample CloudFormation template for DynamoDB with AWS-Owned CMK",
"Resources": {
"DynamoDBOnDemandTable2": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"TableName": "dynamodb-kms-0",
"AttributeDefinitions": [
{
"AttributeName": "pk",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "pk",
"KeyType": "HASH"
}
],
"BillingMode": "PAY_PER_REQUEST",
"SSESpecification": {
"SSEEnabled": false,
"SSEType": "KMS"
}
}
}
}
}
Positive test num. 5 - json file
{
"Description": "Sample CloudFormation template for DynamoDB with AWS-Owned CMK",
"Resources": {
"DynamoDBOnDemandTable4": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"SSESpecification": {
"SSEType": "KMS"
},
"TableName": "dynamodb-kms-2",
"AttributeDefinitions": [
{
"AttributeName": "pk",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "pk",
"KeyType": "HASH"
}
],
"BillingMode": "PAY_PER_REQUEST"
}
}
},
"AWSTemplateFormatVersion": "2010-09-11"
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-10",
"Description": "Sample CloudFormation template for DynamoDB with AWS-Owned CMK",
"Resources": {
"DynamoDBOnDemandTable5": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"TableName": "dynamodb-kms-3",
"AttributeDefinitions": [
{
"AttributeName": "pk",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "pk",
"KeyType": "HASH"
}
],
"BillingMode": "PAY_PER_REQUEST"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample CloudFormation template for DynamoDB with customer managed CMK
Resources:
dynamodbKMSKey:
Type: AWS::KMS::Key
Properties:
Description: "An example CMK"
KeyPolicy:
Version: "2012-10-17"
Id: "key-default-1"
Statement:
- Sid: "Allow administration of the key"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/ana"
Action:
- "kms:Create*"
- "kms:Describe*"
- "kms:Enable*"
- "kms:List*"
- "kms:Put*"
- "kms:Update*"
- "kms:Revoke*"
- "kms:Disable*"
- "kms:Get*"
- "kms:Delete*"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
Resource: "*"
- Sid: "Allow use of the key"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/ana"
Action:
- "kms:DescribeKey"
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey"
- "kms:GenerateDataKeyWithoutPlaintext"
Resource: "*"
DynamoDBOnDemandTable1:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: "dynamodb-kms"
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
BillingMode: PAY_PER_REQUEST
SSESpecification:
KMSMasterKeyId: !Ref dynamodbKMSKey
SSEEnabled: true
SSEType: "KMS"
Negative test num. 2 - json file
{
"Resources": {
"dynamodbKMSKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "An example CMK",
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/ana"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/ana"
},
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*"
}
]
}
}
},
"DynamoDBOnDemandTable1": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"BillingMode": "PAY_PER_REQUEST",
"SSESpecification": {
"KMSMasterKeyId": "dynamodbKMSKey",
"SSEEnabled": true,
"SSEType": "KMS"
},
"TableName": "dynamodb-kms",
"AttributeDefinitions": [
{
"AttributeName": "pk",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "pk",
"KeyType": "HASH"
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
}