turbot/terraform_aws_compliance

Query: dynamodb_table_encrypted_with_kms_cmk

Usage

powerpipe query terraform_aws_compliance.query.dynamodb_table_encrypted_with_kms_cmk

Steampipe Tables

SQL

select
address as resource,
case
-- // kms_key_arn - This attribute should only be specified if the key is different from the default DynamoDB CMK, alias/aws/dynamodb.
-- This query only checks if table is encrypted by default AWS KMS i.e. If enabled is false then server-side encryption is set to AWS owned CMK
when (attributes_std -> 'server_side_encryption' ->> 'enabled')::bool is false then 'alarm'
when (attributes_std -> 'server_side_encryption'->> 'enabled')::bool is true and (attributes_std -> 'server_side_encryption' ->> 'kms_key_arn') is not null then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std -> 'server_side_encryption' ->> 'enabled')::bool is false then ' encrypted by DynamoDB managed and owned AWS KMS key'
when (attributes_std -> 'server_side_encryption'->> 'enabled')::bool is true and (attributes_std -> 'server_side_encryption' ->> 'kms_key_arn') is not null then ' encrypted by AWS managed CMK'
else ' not encrypted by AWS managed CMK'
end || '.' as reason
, path || ':' || start_line
from
terraform_resource
where
type = 'aws_dynamodb_table';

Controls

The query is being used by the following controls: