News

AWS Boosts Encryption for Amazon DynamoDB, its NoSQL Database Service

• By David Ramel
• February 13, 2018

Amazon Web Services Inc. (AWS) added encryption-at-rest to Amazon DynamoDB, increasing security options for its NoSQL cloud database service.

While not directly related to this move, AWS was mentioned repeatedly in a recent series of reports that uncovered exposed data stores on the cloud platform. Those data stores were mostly found on AWS's S3 storage service and were mostly attributed to user configuration errors, not to any inherent flaws in the platform.

Nevertheless, security problems related to exposed data stores are widespread, with a May 2017 study from RedLock Inc. finding most hosted databases remained unencrypted, among many other problems.

"Shockingly, the team determined that 82 percent of databases in public cloud computing environments such as Amazon Relational Database Service and Amazon RedShift are not encrypted," RedLock said.

Following such reports, AWS paid more attention to getting the word out about the need to encrypt data stores on its cloud infrastructure, with CTO Werner Vogels advising users to "Dance like nobody is watching, and to encrypt like everyone is" at the company's AWS re:Invent 2017 conference.

AWS has also been stepping up its published data protection guidance and enacting new security controls, with the latest being the new DynamoDB encryption at rest capabilities.

"Today we are giving you another data protection option with the introduction of encryption at rest for Amazon DynamoDB," AWS spokesperson Jeff Barr said in a Feb. 8 blog post. "You simply enable encryption when you create a new table and DynamoDB takes care of the rest. Your data (tables, local secondary indexes, and global secondary indexes) will be encrypted using AES-256 and a service-default AWS Key Management Service (KMS) key."

Amazon DynamoDB is described as a fast, flexible NoSQL database service with high scaling capabilities, a pay-as-you-go pricing model and the promise of consistent, single-digit millisecond latency. According to Barr, the new encryption option doesn't affect that promised latency.

"The encryption adds no storage overhead and is completely transparent; you can insert, query, scan, and delete items as before," Barr said. "The team did not observe any changes in latency after enabling encryption and running several different workloads on an encrypted DynamoDB table."

The new feature is available now in the US East (N. Virginia), US East (Ohio), US West (Oregon) and EU (Ireland) Regions with extra no charge for use, though users will be charged for the calls that DynamoDB makes to AWS KMS.