Fix CRLY.01184: Encrypt DynamoDB Tables with Customer Managed CMK

[curly-review]

Issue Details

ID: CRLY.01184
Severity: HIGH
File: sam/cfn/cfn-dynamodb-tables.yaml

---

Remediation Summary

Description

The security finding indicates that the DynamoDB tables are not encrypted using a KMS Customer Managed CMK (Customer Master Key). This is a high-severity issue because it leaves the data vulnerable to unauthorized access.

Steps

1. Create a Customer Managed CMK (if not already created):
   Use the AWS SDK to create a Customer Managed CMK. Below is an example in Python using boto3.

   import boto3
   
   client = boto3.client('kms')
   
   response = client.create_key(
       Description='CMK for DynamoDB Table Encryption',
       KeyUsage='ENCRYPT_DECRYPT',
       CustomerMasterKeySpec='SYMMETRIC_DEFAULT'
   )
   
   key_id = response['KeyMetadata']['KeyId']
   print(f"Created CMK with Key ID: {key_id}")

2. Update the DynamoDB Table to use the CMK:
   Add the SSESpecification property to the DynamoDB table definition to enable encryption with the newly created CMK.

   dynamodbTableAccountInfo:
       Type: AWS::DynamoDB::Table
       Properties:
           AttributeDefinitions:
               - 
                   AttributeName: accountEmailAddress
                   AttributeType: S
               - 
                   AttributeName: requestId
                   AttributeType: S
               - 
                   AttributeName: accountId
                   AttributeType: S
           KeySchema:
               - 
                   AttributeName: accountEmailAddress
                   KeyType: HASH
           ProvisionedThroughput:
               ReadCapacityUnits: '1'
               WriteCapacityUnits: '1'
           GlobalSecondaryIndexes:
               - 
                   IndexName: gsiRequestId
                   KeySchema:
                       - 
                           AttributeName: requestId
                           KeyType: HASH
                   Projection:
                       ProjectionType: KEYS_ONLY
                   ProvisionedThroughput:
                       ReadCapacityUnits: '1'
                       WriteCapacityUnits: '1'
               - 
                   IndexName: gsiAccountId
                   KeySchema:
                       - 
                           AttributeName: accountId
                           KeyType: HASH
                   Projection:
                       ProjectionType: ALL
                   ProvisionedThroughput:
                       ReadCapacityUnits: '1'
                       WriteCapacityUnits: '1'
           TableName: !Join [ "-", [ "talr-accountInfo", !Ref stage ] ]
           SSESpecification:
               SSEEnabled: true
              KMSMasterKeyId: !Ref YourCMKResourceName  # Replace with the actual KMS key resource name

3. Deploy the updated CloudFormation stack:
   Ensure that the updated CloudFormation stack is deployed to apply the changes.

   import boto3
   
   client = boto3.client('cloudformation')
   
   response = client.update_stack(
       StackName='your-stack-name',
       TemplateBody='''<your-updated-template-here>'''  # Replace with the updated YAML template
   )
   
   print(f"Update stack initiated with change set ID: {response['ClientRequestToken']}")

By following these steps, you will ensure that your DynamoDB tables are encrypted using a KMS Customer Managed CMK, thereby enhancing the security of your data.