Published on

Encrypting DynamoDB with AWS KMS: A Secure and Easy Guide

Authors

When it comes to storing and retrieving application data, Amazon DynamoDB is a popular choice for many developers. It's a fast, fully managed NoSQL database service that provides seamless scalability and low-latency performance. However, ensuring data security in DynamoDB is a top priority, and that's where AWS Key Management Service (KMS) comes into play.

AWS KMS is a managed service that makes it easy to create and manage cryptographic keys and control their use across a wide range of AWS services and applications. In this blog post, I'll show you how to use Terraform to create a Customer Master Key (CMK) with AWS KMS and use it to encrypt a new DynamoDB table, all while maintaining best practices for cybersecurity.

First, let's create a CMK using Terraform. Here's a simple HCL example that defines a new key in AWS KMS:

resource "aws_kms_key" "dynamodb_key" {
  description             = "KMS key for encrypting DynamoDB tables"
  deletion_window_in_days = 7
}

output "kms_key_id" {
  value = aws_kms_key.dynamodb_key.id
}

We can see that the CMK has been successfully created from the AWS console.

Now that we have our CMK, we can use it to create an encrypted DynamoDB table. Here's an example HCL configuration for a DynamoDB table with Server-Side Encryption (SSE) enabled, using the previously created CMK:

resource "aws_dynamodb_table" "encrypted_table" {
  name           = "my-encrypted-table"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "id"
  read_capacity  = 5
  write_capacity = 5

  attribute {
    name = "id"
    type = "S"
  }

  server_side_encryption {
    enabled     = true
    kms_key_arn = aws_kms_key.dynamodb_key.arn
  }
}

output "dynamodb_table_name" {
  value = aws_dynamodb_table.encrypted_table.name
}

Just add a simple item to test:

With this configuration, we've created a DynamoDB table that uses our custom CMK for server-side encryption. By encrypting the data stored in DynamoDB, we add an extra layer of security, ensuring that unauthorized individuals cannot access our sensitive information, even if they somehow manage to gain access to our data storage.

Assuming there is another user dynamo_test_user with AmazonDynamoDBFullAccess policy attached, he/she will not be able to access the contents of this table:

Leveraging AWS KMS to encrypt DynamoDB tables with Terraform is an effective way to enhance the security of your data storage solution. By following cybersecurity best practices and using modern infrastructure management tools like Terraform, you can create a more secure and manageable environment for your applications. Keep an eye out for future blog posts on this topic, where we'll explore more advanced use cases and tips for using Terraform with AWS services.