AWS Database Blog

Bring your own encryption keys to Amazon DynamoDB

Today, Amazon DynamoDB introduced support for customer managed customer master keys (CMKs) to encrypt DynamoDB data. Often referred to as bring your own encryption (BYOE) or bring your own key (BYOK), this functionality lets you create, own, and manage encryption keys in DynamoDB, giving you full control over how you encrypt and manage the security of your DynamoDB data.

DynamoDB is a fully managed, multiregion, multimaster database that encrypts all your data at rest by default to help enhance the security of your DynamoDB data. Previously, DynamoDB gave you the option to use the AWS owned CMK or AWS managed CMK to encrypt your data. Now, you can use customer managed CMKs to help protect sensitive applications, adhere to your organization’s policies, meet compliance and regulatory requirements, and maintain an additional secure copy of your encryption keys outside of AWS.

In this blog post, we demonstrate how you can use customer managed CMKs with DynamoDB encryption at rest.

DynamoDB encryption key options

Unless you opted to encrypt your data by using an AWS managed CMK, DynamoDB formerly encrypted all table data at rest by using the AWS owned CMK. However, now you can opt to encrypt your data by using a customer managed CMK.

You do not have to make any code or application modifications to encrypt your data and update encryption keys. The process of updating encryption keys is seamless and does not require downtime, and it does not degrade service. All DynamoDB encryption key options use 256-bit Advanced Encryption Standard (AES-256), which helps secure your data from unauthorized access to the underlying storage. You also can use AWS CloudTrail to monitor detailed auditing information about AWS Key Management Service (KMS) key creation, usage, and deletion.

You can use a customer managed CMK to encrypt your data in one step in the AWS Management Console, with a simple API call, or with the AWS CLI. When you specify a customer managed CMK as the table-level encryption key, your DynamoDB table, local and global secondary indexes, and streams are encrypted with the same customer managed CMK. On-demand backups are encrypted with the table-level encryption key specified when the backups were created.

How to create a new DynamoDB table that’s encrypted with a customer managed CMK

To get started with DynamoDB encryption at rest using a customer managed CMK, sign in to the AWS Management Console. To create a new table and use a customer managed CMK for its encryption, follow these steps:

  1. Create a customer managed CMK in AWS KMS. For more information, see Creating Keys.
  2. Under Table settings, clear the Use default settings check box (choosing Use default settings encrypts tables by using an AWS owned CMK, which we aren’t doing in this example).
  3. Under Encryption At Rest, choose “KMS – Customer managed CMK”.
  4. From the drop-down menu, choose the AWS KMS customer managed CMK you would like to use to encrypt the table. In the following screenshot, we have chosen dynamodb-cmk. Choose Create.

How to enable customer managed CMK encryption for an existing table

If you already have a table and want to use a customer managed CMK for its encryption, follow these steps:

  1. Create your customer managed CMK in AWS KMS. For more information, see Creating Keys.
  2. In the DynamoDB console, choose Overview and then choose Manage Encryption.
  3. Choose “KMS – Customer managed CMK”. From the drop-down menu, choose the AWS KMS customer managed CMK you would like to use to encrypt the table. In the following screenshot, we have chosen dynamodb-cmk. Choose Save.

Using CloudFormation to create a new DynamoDB table with a customer managed CMK

The following AWS CloudFormation template code example demonstrates how to create a new DynamoDB table and specify a customer managed CMK as the encryption key.

AWSTemplateFormatVersion: "2010-09-09"
Description: Sample CloudFormation template for DynamoDB with customer managed CMK
resources:
  dynamodbKMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: "An example CMK"
      KeyPolicy:
        Version: "2012-10-17"
        Id: "key-default-1"
        Statement:
         -
            Sid: "Allow administration of the key"
            Effect: "Allow"
            Principal:
              AWS: "arn:aws:iam::123456789012:user/ana"
            Action:
              - "kms:Create*"
              - "kms:Describe*"
              - "kms:Enable*"
              - "kms:List*"
              - "kms:Put*"
              - "kms:Update*"
              - "kms:Revoke*"
              - "kms:Disable*"
              - "kms:Get*"
              - "kms:Delete*"
              - "kms:ScheduleKeyDeletion"
              - "kms:CancelKeyDeletion"
            Resource: "*"
         -
            Sid: "Allow use of the key"
            Effect: "Allow"
            Principal:
              AWS: "arn:aws:iam::123456789012:user/ana"
            Action:
              - "kms:DescribeKey"
              - "kms:Encrypt"
              - "kms:Decrypt"
              - "kms:ReEncrypt*"
              - "kms:GenerateDataKey"
              - "kms:GenerateDataKeyWithoutPlaintext"
            Resource: "*"

  DynamoDBOnDemandTable:
    Type: "AWS::DynamoDB::Table"
    Properties:
      TableName: "dynamodb-kms"
      AttributeDefinitions:
        -
          AttributeName: pk
          AttributeType: S
      KeySchema:
        -
          AttributeName: pk
          KeyType: HASH
      BillingMode: PAY_PER_REQUEST
      SSESpecification:
        KMSMasterKeyId: !Ref dynamodbKMSKey
        SSEEnabled: true
        SSEType: "KMS"

The preceding code example is a starting point, which defines the same account user (ana) as the only user who can administer and use the customer managed CMK. You might want a more complex AWS Identity and Access Management (AWS IAM) policy for the CMK, so you should also consider the AWS IAM statements for AWS KMS key access. For more information about creating CloudFormation templates, see KMS Resource Type Reference and DynamoDB Resource Type Reference.

Verifying your encryption key

No matter which method you use to encrypt your DynamoDB table with a customer managed CMK, you can verify that your table is using the appropriate key in the DynamoDB console on the Overview tab in Table details. Verify that Encryption Type and KMS Master Key ARN reflect your choices.

Conclusion

DynamoDB encryption at rest support for customer managed CMKs is now available in all commercial AWS Regions, except the Asia Pacific (Osaka-Local) Region. You can also use this feature in the AWS China (Beijing) and AWS China (Ningxia) Regions, and the AWS GovCloud (US) Regions. To learn more about encryption at rest, see Managing Encrypted Tables.

 

About the Authors

 

Chad Tindel is a DynamoDB Specialist Solutions Architect based out of New York City. He works with large enterprises to evaluate, design, and deploy DynamoDB-based solutions. Prior to joining Amazon he held similar roles at Red Hat, Cloudera, MongoDB, and Elastic.

 

 

 

Mazen Ali is a Senior Product Manager with Amazon Web Services.