12 Amazon DynamoDB Security Best Practices

AWS provides end-to-end security of its services and platforms and takes responsibility for securing its infrastructure that runs the DynamoDB services across the globe. DynamoDB complies with industry standards such as ISO 27001, ISO 27701, and PCI DSS to maintain security and secure operating standards. However, being a cloud service provider, Amazon DynamoDB only looks into the security of its infrastructure and leaves the responsibility of implementing the security of the data and other granular controls to the customer.

This article looks at some of the security best practices that cover the most common security issues using DynamoDB in your organization.

DynamoDB Security Principles

DynamoDB Row Level Security

DynamoDB enables you to enforce granular permissions on all items stored within a DynamoDB table. This granular level permission is possible with the integration of AWS Cognito. It moves the users and the user roles into AWS Cognito, which comes with customizable IAM (Identity & Access Management) policies.

Row-level authorization within DynamoDB is achievable by using the Amazon Cognito ID as the hash key; therefore, based on the defined Cognito IAM Role, the users are authorized to access the specified rows.

DynamoDB Security Controls

DynamoDB provides several security controls that enable users to customize the security requirements according to their needs. These controls offer security measures and the infrastructure security that AWS natively provides.

Additional security controls enable users to fine-tune granular controls to adhere to specific standards and regulations where controls may need to be stricter than what DynamoDB provides by default.

These security controls will range from data protection which looks at encrypting sensitive information at rest and in transit, to more advanced Identity and Access Management. However, it is essential to consider that not all controls come pre-configured, and not all are mandatory. Therefore it is up to the user to decide which controls allow for the most comprehensive security without hindering the performance or usability of the DynamoDB service.

Common DynamoDB Security Issues

1. Data in transit is not natively encrypted

DynamoDB does not encrypt data when in transit; therefore, the data is vulnerable to man-in-the-middle attacks where an unauthorized actor may be able to read and manipulate the data before it reaches the destination. However, this risk is minimal since the communication channel is encrypted using TLS.

2. DynamoDB does not enable granular column and item level access by default

When providing access to a DynamoDB resource, the user must be defined explicitly along with the permissions. However, after the user gets permission, they can use these permissions to manipulate columns and items within the table. Special granular permissions will ensure that the user is only permitted a specific set of items or columns. This default access may give a user or entity more access than required.

3. Default communication sent via the Internet

By default, DynamoDB routes its communication through the Internet. Therefore, any communication within DynamoDB and other components is visible to the external networks that the data reaches. Thus, it exposes the communication to untrusted external networks and increases the risk of an attack on the data and the communication channel.

DynamoDB Security Best Practices

DynamoDB contains various features that help secure the service. These features can help the user either detect or prevent certain types of attacks.

Following the best practices listed below can improve the security posture of your DynamoDB instance.

Best Practices for Detective Security

1. Monitoring AWS managed KMS key usage with AWS CloudTrail

Using AWS-managed KMS is one of the best ways to configure encryption at rest for the DynamoDB tables. AWS CloudTrail records the usage of these keys to provide visibility of the performed activities. It provides the information, including the user, services, parameters, and the actions performed. This information is useful when tracking unauthorized usage of keys and troubleshooting issues.

2. Monitoring DynamoDB operations with CloudTrail

AWS CloudTrail can monitor events on the control plane. It allows the user to monitor specific actions such as creating a table, deletion of a backup, tagging a DynamoDB resource, etc. This information can then help identify and track activities within DynamoDB. You can find a more comprehensive list of events monitored by CkoudTrail in the AWS documentation.

3. Monitoring the data plane operations with DynamoDB Streams

DynamoDB streams can record changes made to the data within a specific table. With its native integration to DynamoDB and DynamoDB streams, AWS Lambda can trigger scripts responding to particular criteria seen within DynamoDB streams. It is a powerful combination that allows you to create near real-time responses to the specific data seen within a table.

4. Using AWS Config to monitor DynamoDB configuration changes

AWS Config is an easy tool to monitor and record configuration level changes to DynamoDB resources continuously. When AWS Config detects a modification to a specific configuration, it can trigger notifications via Amazon SNS (Simple Notification Service) to notify the users, allowing them to review and take appropriate action.

5. Using AWS Config rules to monitor changes to DynamoDB compliance

AWS Config rules can help continuously monitor the configurations of DynamoDB to ensure that all components are according to a set standard and none of the controls change to a non-compliant state. AWS-managed rules are a set of pre-defined rules that are customizable to help comply with standard best security practices.

6. Tagging DynamoDB resources

DynamoDB enables tagging of its resources to simplify identification and enable grouped controls. Although there are no set tags, it is a best practice to use tags that are easy to understand; For example:

1. "Security" Tag - Identifies resources that belong to a specific security group.
2. "Environment" Tag - Identifies to which environment the resource belongs.

Best Practices for Preventive Security

1. Enabling Encryption at Rest

By default, DynamoDB enables encryption at rest for all tables. There is no option to override this setting; all tables are inherently are encrypted using an AWS-owned key. However, you can select a customer-managed key or an AWS-managed KMS key to encrypt some or all of the DynamoDB tables.

2. Authenticating DynamoDB access with IAM roles

All users and applications must include valid credentials to access the AWS APIs. Since these are long-term credentials with long rotation intervals, storing them within the application is unwise. There can be a significant business impact if they are compromised. Considering the significance of these credentials, DynamoDB recommends using an IAM role to obtain temporary access keys that work with the DynamoDB services.

3. Enabling DynamoDB based authorization with IAM policies

Implementing the least privilege ensures that no user or application gets excess access. Therefore it is necessary to define specific DynamoDB APIs that a single user has access to and the scope of the access, including what actions they can perform.

It is done by configuring policies within the IAM identities. You can use both AWS managed, or Customer managed policies.

4. Defining granular access with IAM policies

Implementing granular control over individual items can reduce the impact of errors and malicious actions. It is done by configuring IAM policy conditions within DynamoDB.

5. Accessing DynamoDB via a VPC endpoint

By default, DynamoDB sends data via the Internet. If you want to prevent your sensitive information from reaching untrusted networks, you need to implement a VPC (Virtual Private Cloud) endpoint. VPC endpoint ensures that all traffic flow within the VPC and not through untrusted networks.

VPC endpoints also enable the configuration of advanced VPN endpoint policies to limit API access to a DynamoDB table and allow configuring IAM policies to define access to a specific VPC endpoint.

6. Enabling client-side encryption

By default, DynamoDB only encrypts data at rest, leaving the data in transit to be in plain text. However, you can use the DynamoDB encryption client to encrypt the data between DynamoDB and your application.

The DynamoDB encryption client supports encryption keys from multiple sources, including AWS Key Management Service or AWS CloudHSM. The client is currently available in Java and Python, and the clients in different programming languages are interoperable.

Conclusion

In this article, I have discussed 12 best practices to improve DynamoDB security. Even though these best practices may not guarantee that your deployment is 100% secure, it addresses the most common issues and recommendations.

I hope you have found this helpful. Thank you for reading!

FAQ

Is DynamoDB secure?

Yes, DynamoDB implements security at multiple layers within its architecture to maintain industry-standard security measures, from its data encryption at rest to the encryption of data in transit.

How secure is DynamoDB?

AWS complies with multiple industry standards and compliance, such as ISO 27001, ISO 27701, PCI DSS, etc., that ensure the AWS DynamoDB services are secured. These standards cover various aspects of the security infrastructure, controls, processes, and procedures that help AWS DynamoDB maintain the highest level of security for its services. You may refer to their complete list of standards and compliance for a detailed breakdown.

Which is the best technique to secure DynamoDB?

There are many techniques available to secure DynamoDB. However, there isn't a single technique covering all the security aspects, but implementing the best practices for improving DynamoDB security will cover the most common security issues.

Can I use security groups with DynamoDB?

No, security groups are not applicable when implementing access control for DynamoDB. Instead, IAM user/roles control access to DynamoDB entities by implementing IAM policies for granular access control.