🟠CIS AWS 5.3Rule: CIS-AWS-5-3high

DynamoDB encryption with KMS CMK

Description

DynamoDB tables encrypted at rest using customer-managed KMS keys.

⚠️ Risk Impact

Default DynamoDB encryption is AWS-managed; customer-managed keys enable access control + key rotation independent of AWS.

🔍 How EchelonGraph Detects This

CIS-AWS-5-3Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

aws dynamodb update-table --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=<arn>.

💀 Real-World Attack Scenario

A DynamoDB table containing customer profiles was misconfigured for cross-account access via IAM. Attackers from a compromised partner account read the entire table. CMK-encryption with restrictive key policy would have prevented decryption.

💰 Cost of Non-Compliance

DynamoDB exposure: $4.45M (avg).

📋 Audit Questions

  • 1.All DynamoDB tables CMK-encrypted?
  • 2.Key policy restricts decryption?
  • 3.Cross-account access reviewed?

🎯 MITRE ATT&CK Mapping

T1530 — Data from Cloud Storage

🏗️ Infrastructure as Code Fix

main.tf
resource "aws_dynamodb_table" "main" {
  server_side_encryption {
    enabled     = true
    kms_key_arn = aws_kms_key.dynamodb.arn
  }
}

⚡ Common Pitfalls

  • Default AWS-managed encryption left in place
  • CMK without restrictive policy
  • Cross-account access enables decryption regardless

📈 Business Value

CMK encryption + restrictive policy = defense-in-depth.

⏱️ Effort Estimate

Manual

30 minutes per table

With EchelonGraph

EchelonGraph audits DynamoDB encryption

🔗 Cross-Framework References

SOC2-CC6.1NIST-SC-28

Automate CIS AWS 5.3 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →