A collection of AWS Security controls for DynamoDB and DAX (DynamoDB Accelerator). Controls include IAM policies, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

Config Rule
DynamoDB AutoScaling Enabled Check

A config rule that checks whether Auto Scaling is enabled on your DynamoDB tables and/or global secondary indexes. Optionally you can set the read and write capacity units for the table or global secondary index.

CloudFormationTerraformAWS CLI
DynamoDB Encryption Enabled Check

A config rule that checks whether the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling.

CloudFormationTerraformAWS CLI
DynamoDB Throughput Limit Check

A config rule that checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the rule checks if provisioned throughput exceeds a threshold of 80% of your account limits.

CloudFormationTerraformAWS CLI
DynamoDB Point In Time Recovery (PITR) Enabled

A config rule that checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if point in time recovery is not enabled for Amazon DynamoDB tables.

CloudFormationTerraformAWS CLI
DynamoDB Table Encrypted with KMS

A config rule that checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT if DynamoDB DynamoDB table is not encrypted with AWS KMS. The rule is also NON_COMPLIANT if the encrypted AWS KMS key is not present in kmsKeyArns input parameter.

CloudFormationTerraformAWS CLI
DynamoDB Accelerator (DAX) Encryption Enabled

A config rule that checks that DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted.

CloudFormationTerraformAWS CLI
DynamoDB Table in AWS Backup Plan Check

A Config rule that checks whether Amazon DynamoDB table is present in AWS Backup plans. The rule is NON_COMPLIANT if DynamoDB tables are not present in any AWS Backup plan.

CloudFormationTerraformAWS CLI
Check DynamoDB Table Recovery Point Creation

Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period. The rule is NON_COMPLIANT if the DynamoDB Table does not have a corresponding recovery point created within the specified time period.

CloudFormationTerraform
DynamoDB Resources Protected by Backup Plan

Checks if Amazon DynamoDB tables are protected by a backup plan. The rule is NON_COMPLIANT if the DynamoDB Table is not covered by a backup plan.

CloudFormationTerraform
IAM Policy
Allows Access to a Specific DynamoDB Table

A policy that allows full access to a DynamoDB table with the specified name. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI
Allows Access to Specific Columns in a DynamoDB table

A policy that allows access to the specific DynamoDB columns. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI
Allow Read-only Access on Items in a Table

An IAM policy that grants permissions for the GetItem and BatchGetItem DynamoDB actions only and thereby sets read-only access to a table. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI
Allow Access to a Specific Table and All of Its Indexes

An IAM policy that grants permissions policy grants permissions for all of the DynamoDB actions on a specific table and all of the table's indexes. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI
Prevent a User from Purchasing Reserved Capacity Offerings

An IAM policy that allows users to view reserved capacity offerings and current purchases using the AWS Management Console—but new purchases are denied. This policy provides the permissions necessary to complete this action using the AWS Console or AWS API/AWS CLI.

CloudFormationTerraformAWS CLI
Allow Read Access for a DynamoDB Stream Only (Not for the Table)

An IAM policy that grants users permissions to access the streams on a DynamoDB table, but not to the table itself. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI