Insecure service configuration - DynamoDB
Need
Secure configuration of DynamoDB service
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws-sdk for interacting with Amazon Web Services (AWS) services
Description
Non compliant code
resource "aws_dynamodb_table" "vulnerable_table" {
name = "VulnerableTable"
billing_mode = "PROVISIONED"
read_capacity = 20
write_capacity = 20
hash_key = "ID"
attribute {
name = "ID"
type = "N"
}
}
In the above Terraform script, a DynamoDB table named "VulnerableTable" is being created with a PROVISIONED billing mode and a fixed read/write capacity of 20 units. The hash key for this table is set to "ID", and the attribute is also set to "ID" with a type of "N" (Number).
The vulnerability lies in the configuration of the read and write capacity. This table is set to a fixed read/write capacity, which can lead to throttling if the demand exceeds the provisioned capacity. Throttling can impact the performance of your application and can lead to an unsatisfactory user experience.
Moreover, the billing mode is set to PROVISIONED, which means you pay for a set amount of read and write capacity, regardless if you use it or not. This can lead to unnecessary costs if your actual usage is much less than your provisioned capacity.
Finally, the table lacks any sort of access control or encryption at rest settings, which can be a security risk. Without proper access control, any user with access to the AWS account could potentially read, write, or delete data in the table. Without encryption at rest, the data stored in the table is vulnerable to unauthorized access.
Steps
- Review the AWS DynamoDB documentation and best practices for secure configurations.
- Set the appropriate billing mode for the DynamoDB table based on your application's requirements.
- Adjust the read and write capacity settings according to the expected workload of your application.
- Ensure that the hash key attribute is appropriately defined and matches the data type used in your application.
- Consider implementing fine-grained access control using AWS Identity and Access Management (IAM) roles and policies.
- Enable encryption at rest for the DynamoDB table to protect data stored in the database.
- Regularly monitor and review the DynamoDB table's configuration to ensure it remains secure and aligned with best practices.
Compliant code
resource "aws_dynamodb_table" "secure_table" {
name = "SecureTable"
billing_mode = "PAY_PER_REQUEST"
hash_key = "ID"
attribute {
name = "ID"
type = "N"
}
server_side_encryption {
enabled = true
}
point_in_time_recovery {
enabled = true
}
}
The above code represents a secure configuration for an AWS DynamoDB table using Terraform. Here's a breakdown of the changes made:
-
Name: The name of the DynamoDB table is set to "SecureTable". It's important to use meaningful names for your resources.
-
Billing Mode: The billing mode is set to "PAY_PER_REQUEST". This mode is recommended for applications with unpredictable workloads, as it automatically scales throughput capacity to meet workload demands, and charges for the actual reads and writes your application performs.
-
Hash Key: The hash key attribute is set to "ID" and its type is set to "N" (Number). The hash key attribute is the primary key that uniquely identifies each item in a table. It's important to ensure that the hash key attribute is appropriately defined and matches the data type used in your application.
-
Server Side Encryption: Server-side encryption is enabled for the DynamoDB table. This means that DynamoDB will encrypt your data at rest using an AWS managed key, adding an additional layer of security.
-
Point In Time Recovery: Point-in-time recovery is enabled for the DynamoDB table. This helps protect your table data from accidental write or delete operations. With point-in-time recovery, you can restore that table to any point in time during the last 35 days.
Remember, it's also important to implement fine-grained access control using AWS Identity and Access Management (IAM) roles and policies, and regularly monitor and review the DynamoDB table's configuration to ensure it remains secure and aligned with best practices.