Control: DynamoDB table should be encrypted with AWS KMS
Description
Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.dynamodb_table_encrypted_with_kms_cmkSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.dynamodb_table_encrypted_with_kms_cmk --shareSQL
This control uses a named query:
select address as resource, case -- // kms_key_arn - This attribute should only be specified if the key is different from the default DynamoDB CMK, alias/aws/dynamodb. -- This query only checks if table is encrypted by default AWS KMS i.e. If enabled is false then server-side encryption is set to AWS owned CMK when (attributes_std -> 'server_side_encryption' ->> 'enabled')::bool is false then 'alarm' when (attributes_std -> 'server_side_encryption'->> 'enabled')::bool is true and (attributes_std -> 'server_side_encryption' ->> 'kms_key_arn') is not null then 'ok' else 'alarm' end status, split_part(address, '.', 2) || case when (attributes_std -> 'server_side_encryption' ->> 'enabled')::bool is false then ' encrypted by DynamoDB managed and owned AWS KMS key' when (attributes_std -> 'server_side_encryption'->> 'enabled')::bool is true and (attributes_std -> 'server_side_encryption' ->> 'kms_key_arn') is not null then ' encrypted by AWS managed CMK' else ' not encrypted by AWS managed CMK' end || '.' as reason , path || ':' || start_linefrom terraform_resourcewhere type = 'aws_dynamodb_table';