Search code examples
amazon-web-servicesterraformamazon-dynamodbtfsec

tfsec aws - DynamoDB Table encryption is not enabled

tfsec complains AWS DynamoDB table is not encrypted at rest although DynamoDB uses encryption at rest. Please help understand if this is a tfsec defect.

$ tfsec --version
v1.28.6

Result #4 HIGH Table encryption is not enabled. 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/dynamodb-table/aws/home/masa/home/repository/git/eml/ai_project_template/code/terraform/package/.terraform/modules/dynamodb.dynamodb_table/main.tf:70
   via git::https:/github.com/EMLTeams/ai_shared_aws/code/terraform/module/dynamodb?ref=development/home/masa/home/repository/git/eml/ai_project_template/code/terraform/package/.terraform/modules/dynamodb/code/terraform/module/dynamodb/dynamodb.tf:5-85 (module.dynamodb_table)
    via dynamodb.tf:1-25 (module.dynamodb)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_dynamodb_table" "this" {
    .  
   70  [     enabled     = var.server_side_encryption_enabled (false)
  ...  
  117    }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
          ID aws-dynamodb-enable-at-rest-encryption
      Impact Data can be freely read if compromised
  Resolution Enable encryption at rest for DAX Cluster

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.6/checks/aws/dynamodb/enable-at-rest-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dax_cluster#server_side_encryption

Terraform Resource: aws_dynamodb_table server_side_encryption says enabled=false uses encryption.

If enabled is false then server-side encryption is set to AWS-owned key (shown as DEFAULT in the AWS console).

AWS DynamoDB encryption at rest says data at rest is used always.

All user data stored in Amazon DynamoDB is fully encrypted at rest. DynamoDB encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS).

Solution

  • This isn't complaining about DynamoDB but rather DAX which doesn't provide encryption at rest by default.

    You cannot enable or disable encryption at rest after a cluster has been created. You must re-create the cluster to enable encryption at rest if it was not enabled at creation.

    https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html