Amazon DynamoDB controls - AWS Control Tower

Amazon DynamoDB controls

[CT.DYNAMODB.PR.1] Require that point-in-time recovery for an Amazon DynamoDB table is activated

This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table.

  • Control objective: Improve resiliency

  • Implementation: AWS CloudFormation Guard Rule

  • Control behavior: Proactive

  • Resource types: AWS::DynamoDB::Table

  • AWS CloudFormation guard rule: CT.DYNAMODB.PR.1 rule specification

Details and examples

Explanation

Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Amazon DynamoDB point-in-time recovery (PITR) automates backups for DynamoDB tables, which can reduce the time required to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time within the last 35 days.

Remediation for rule failure

Provide a PointInTimeRecoverySpecification configuration and set PointInTimeRecoveryEnabled to true.

The examples that follow show how to implement this remediation.

Amazon DynamoDB Table - Example

Amazon DynamoDB table configured with point-in-time recovery activated. The example is shown in JSON and in YAML.

JSON example

{ "DynamoDBTable": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "PK", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "PK", "KeyType": "HASH" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true } } } }

YAML example

DynamoDBTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: PK AttributeType: S BillingMode: PAY_PER_REQUEST KeySchema: - AttributeName: PK KeyType: HASH PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: true

CT.DYNAMODB.PR.1 rule specification

# ################################### ## Rule Specification ## ##################################### # Rule Identifier: # dynamodb_table_pitr_enabled_check # # Description: # This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. # # Reports on: # AWS::DynamoDB::Table # # Evaluates: # AWS CloudFormation, AWS CloudFormation hook # # Rule Paramaeters: # None # # Scenarios: # Scenario: 1 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document does not contain any DynamoDB table resources # Then: SKIP # Scenario: 2 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document does not contains a DynamoDB table resource # And: 'PointInTimeRecoverySpecification' is not present on the DynamoDB table resource # Then: FAIL # Scenario: 3 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document does not contains a DynamoDB table resource # And: 'PointInTimeRecoverySpecification' is present on the DynamoDB table resource # And: 'PointInTimeRecoveryEnabled' in 'PointInTimeRecoverySpecification' is missing or is a value # other than bool(true) # Then: FAIL # Scenario: 4 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document does not contains a DynamoDB table resource # And: 'PointInTimeRecoverySpecification' is present on the DynamoDB table resource # And: 'PointInTimeRecoveryEnabled' in 'PointInTimeRecoverySpecification' is present and set to bool(true) # Then: PASS # # Constants # let DYNAMODB_TABLE_TYPE = "AWS::DynamoDB::Table" let INPUT_DOCUMENT = this # # Assignments # let dynamodb_tables = Resources.*[ Type == %DYNAMODB_TABLE_TYPE ] # # Primary Rules # rule dynamodb_table_pitr_enabled_check when is_cfn_template(%INPUT_DOCUMENT) %dynamodb_tables not empty { check(%dynamodb_tables.Properties) << [CT.DYNAMODB.PR.1]: Require that point-in-time recovery for an Amazon DynamoDB table is activated [FIX]: Provide a 'PointInTimeRecoverySpecification' configuration and set 'PointInTimeRecoveryEnabled' to 'true'. >> } rule dynamodb_table_pitr_enabled_check when is_cfn_hook(%INPUT_DOCUMENT, %DYNAMODB_TABLE_TYPE) { check(%INPUT_DOCUMENT.%DYNAMODB_TABLE_TYPE.resourceProperties) << [CT.DYNAMODB.PR.1]: Require that point-in-time recovery for an Amazon DynamoDB table is activated [FIX]: Provide a 'PointInTimeRecoverySpecification' configuration and set 'PointInTimeRecoveryEnabled' to 'true'. >> } rule check(dynamodb_table) { %dynamodb_table { # Scenario 2 PointInTimeRecoverySpecification exists PointInTimeRecoverySpecification is_struct # Scenario 3 and 4 PointInTimeRecoverySpecification { PointInTimeRecoveryEnabled exists PointInTimeRecoveryEnabled == true } } } # # Utility Rules # rule is_cfn_template(doc) { %doc { AWSTemplateFormatVersion exists or Resources exists } } rule is_cfn_hook(doc, DYNAMODB_TABLE_TYPE) { %doc.%DYNAMODB_TABLE_TYPE.resourceProperties exists }

CT.DYNAMODB.PR.1 example templates

You can view examples of the PASS and FAIL test artifacts for the AWS Control Tower proactive controls.

PASS Example - Use this template to verify a compliant resource creation.

Resources: DynamoDBTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: "PK" AttributeType: "S" BillingMode: "PAY_PER_REQUEST" KeySchema: - AttributeName: "PK" KeyType: "HASH" PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: true

FAIL Example - Use this template to verify that the control prevents non-compliant resource creation.

Resources: DynamoDBTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: "PK" AttributeType: "S" BillingMode: "PAY_PER_REQUEST" KeySchema: - AttributeName: "PK" KeyType: "HASH" PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: false

[CT.DYNAMODB.PR.2] Require an Amazon DynamoDB table to be encrypted at rest using an AWS KMS key

This control checks whether your Amazon DynamoDB table is encrypted with an AWS Key Management Service (KMS) key.

  • Control objective: Encrypt data at rest

  • Implementation: AWS CloudFormation guard rule

  • Control behavior: Proactive

  • Resource types: AWS::DynamoDB::Table

  • AWS CloudFormation guard rule: CT.DYNAMODB.PR.2 rule specification

Details and examples

Explanation

Amazon DynamoDB encryption at rest provides an additional layer of data protection, because it always secures your data in an encrypted table - including its primary key, local and global secondary indexes, streams, global tables, backups, and DynamoDB Accelerator (DAX) clusters, whenever the data is stored in durable media.

Encryption at rest integrates with AWS KMS for managing the encryption keys that are used to encrypt your tables.

Usage considerations
  • This control requires only that KMS keys are used for server-side encryption. It does not check the properties of the KMS key used, such as whether the KMS key is customer-managed or service-managed.

Remediation for rule failure

Provide a SSESpecification configuration and set SSEEnabled to true.

The examples that follow show how to implement this remediation.

Amazon DynamoDB Table - Example

An Amazon DynamoDB table configured to encrypt data at rest with AWS Key Management Service (KMS) keys. The example is shown in JSON and in YAML.

JSON example

{ "DynamoDBTable": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "PK", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "PK", "KeyType": "HASH" } ], "SSESpecification": { "SSEEnabled": true } } } }

YAML example

DynamoDBTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: PK AttributeType: S BillingMode: PAY_PER_REQUEST KeySchema: - AttributeName: PK KeyType: HASH SSESpecification: SSEEnabled: true

CT.DYNAMODB.PR.2 rule specification

# ################################### ## Rule Specification ## ##################################### # # Rule Identifier: # dynamodb_table_encrypted_kms_check # # Description: # This control checks whether your Amazon DynamoDB table is encrypted with an AWS Key Management Service (KMS) key. # # Reports on: # AWS::DynamoDB::Table # # Evaluates: # AWS CloudFormation, AWS CloudFormation hook # # Rule Parameters: # None # # Scenarios: # Scenario: 1 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document does not contain any DynamoDB table resources # Then: SKIP # Scenario: 2 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains a DynamoDB table resources # And: 'SSEEnabled' in 'SSESpecification' has not been provided # Then: FAIL # Scenario: 3 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains a DynamoDB table resources # And: 'SSEEnabled' in 'SSESpecification' has been provided and set to a value other than bool(true) # Then: FAIL # Scenario: 4 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains a DynamoDB table resources # And: 'SSEEnabled' in 'SSESpecification' has been provided and set to bool(true) # Then: PASS # # Constants # let DYNAMODB_TABLE_TYPE = "AWS::DynamoDB::Table" let INPUT_DOCUMENT = this # # Assignments # let dynamodb_tables = Resources.*[ Type == %DYNAMODB_TABLE_TYPE ] # # Primary Rules # rule dynamodb_table_encrypted_kms_check when is_cfn_template(%INPUT_DOCUMENT) %dynamodb_tables not empty { check(%dynamodb_tables.Properties) << [CT.DYNAMODB.PR.2]: Require an Amazon DynamoDB table to be encrypted at rest using an AWS KMS key [FIX]: Provide a 'SSESpecification' configuration and set 'SSEEnabled' to 'true'. >> } rule dynamodb_table_encrypted_kms_check when is_cfn_hook(%INPUT_DOCUMENT, %DYNAMODB_TABLE_TYPE) { check(%INPUT_DOCUMENT.%DYNAMODB_TABLE_TYPE.resourceProperties) << [CT.DYNAMODB.PR.2]: Require an Amazon DynamoDB table to be encrypted at rest using an AWS KMS key [FIX]: Provide a 'SSESpecification' configuration and set 'SSEEnabled' to 'true'. >> } rule check(dynamodb_table) { %dynamodb_table { # Scenario 2 SSESpecification exists SSESpecification is_struct # Scenarios 3 and 4 SSESpecification { SSEEnabled exists SSEEnabled == true } } } # # Utility Rules # rule is_cfn_template(doc) { %doc { AWSTemplateFormatVersion exists or Resources exists } } rule is_cfn_hook(doc, DYNAMODB_TABLE_TYPE) { %doc.%DYNAMODB_TABLE_TYPE.resourceProperties exists }

CT.DYNAMODB.PR.2 example templates

You can view examples of the PASS and FAIL test artifacts for the AWS Control Tower proactive controls.

PASS Example - Use this template to verify a compliant resource creation.

Resources: DynamoDBTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: PK AttributeType: S BillingMode: PAY_PER_REQUEST KeySchema: - AttributeName: PK KeyType: HASH SSESpecification: SSEEnabled: true

FAIL Example - Use this template to verify that the control prevents non-compliant resource creation.

Resources: DynamoDBTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: PK AttributeType: S BillingMode: PAY_PER_REQUEST KeySchema: - AttributeName: PK KeyType: HASH SSESpecification: SSEEnabled: false