CloudFormation guard rules template for DynamoDB and DynamoDB Accelerator (DAX) resources

The following rules are included: 

  • SSE KMS Enabled: Checks if a KMS key is used for server-side encryption of the DynamoDB Table
  • PITR Enabled: Checks if point-in-time recovery is enabled for the DynamoDB table
  • DAX Encryption At-Rest Enabled: Checks if the DynamoDB Accelerator (DAX) has encryption-at-rest enabled
  • DAX Encryption In-Transit Enabled: Checks if the DynamoDB Accelerator (DAX) has encryption-in-transit enabled

let ddb_tables = Resources.*[
	Type == "AWS::DynamoDB::Table"
]

rule dynamodb_server_side_encryption when %ddb_tables !empty {
	%ddb_tables {
		Properties {
			SSESpecification exists <<DynamoDB Table does not have SSESpecification explicitly configured (server-side encryption is set to AWS owned key).>>
			when SSESpecification exists {
				SSESpecification {
					SSEEnabled exists <<SSEEnabled is not set (server-side encryption is set to AWS owned key)>>
					when SSEEnabled exists {
						SSEEnabled == true <<DynamoDB Table has SSE disabled (server-side encryption is set to AWS owned key).>>
						when SSEEnabled == true {
							SSEType !exists OR
							when SSEType exists {
								SSEType == 'KMS' <<DynamoDB Table should have SSE with KMS.>>
							}
						}
					}
				}
			}
		}
	}
}

rule dynamodb_PITR_enabled when %ddb_tables !empty {
	%ddb_tables {
		Properties {
			PointInTimeRecoverySpecification exists <<DynamoDB Table does not have PointInTimeRecoverySpecification configured (i.e. disabled).>>
			when PointInTimeRecoverySpecification exists {
				PointInTimeRecoverySpecification {
					PointInTimeRecoveryEnabled exists <<PointInTimeRecoveryEnabled is not set (i.e. disabled).>>
					when PointInTimeRecoveryEnabled exists {
						PointInTimeRecoveryEnabled == true <<DynamoDB Table has Point In Time Recovery disabled.>>
					}
				}
			}
		}
	}
}

let dax_clusters = Resources.*[
	Type == "AWS::DAX::Cluster"
]

rule dax_encryption_at_rest when %dax_clusters !empty {
	%dax_clusters {
		Properties {
			SSESpecification exists <<DAX cluster does not have SSESpecification configured (i.e. disabled).>>
			when SSESpecification exists {
				SSESpecification {
					SSEEnabled exists <<SSEEnabled is not set (i.e. disabled).>>
					when SSEEnabled exists {
						SSEEnabled == true <<DAX cluster has SSE disabled.>>
					}
				}
			}
		}
	}
}

rule dax_encryption_in_transit when %dax_clusters !empty {
	%dax_clusters {
		Properties {
			ClusterEndpointEncryptionType exists <<ClusterEndpointEncryptionType defaults to NONE (i.e. disabled).>>
			when ClusterEndpointEncryptionType exists {
				ClusterEndpointEncryptionType != "NONE" <<ClusterEndpointEncryptionType is disabled.>>
			}
		}
	}
}


Actions



Customize Template

* Required field