DynamoDB Table Creation: Security Perspective
Question
A company has a requirement to create a DynamoDB table.
The company's software architect has provided the following CLI command for the DynamoDB table aws dynamodb create-table \ --table-name Customers \ --attribute-definitions \ AttributeName=ID,AttributeType=S \ AttributeName=Name,AttributeType=S \ --key-schema \ AttributeName=ID,KeyType=HASH \ AttributeName=Name,KeyType=RANGE \ --provisioned-throughput \ ReadCapacityUnits=10,WriteCapacityUnits=5 \ --sse-specification Enabled=true Which of the following has been taken care of from a security perspective from the above command?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Options A is incorrect because hashing the ID does not provide security to the underlying table.
Hashing is mainly used for better indexing.
Option B is CORRECT because the command with “--sse-specification Enabled=true“ parameter ensures that the data for the DynamoDB table is encrypted at rest, which complies with our security requirement.
Option C is incorrect because sse-specification provides encryption at rest and not encryption in transit.
Option D is incorrect because providing the right throughput does not satisfy our security requirements with the table.
For more information on DynamoDB encryption, kindly refer to the following URL:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.htmlThe provided CLI command creates a DynamoDB table named "Customers" with two attributes, "ID" and "Name". The table's primary key consists of two components: "ID" as the hash key and "Name" as the range key. The table has a provisioned throughput of 10 read capacity units and 5 write capacity units. Additionally, the command enables server-side encryption for the table.
Regarding the security perspective, the correct answer is B: The above command ensures data encryption at rest for the Customer table.
Explanation:
Option A (Since the ID is hashed, it ensures the security of the underlying table): This statement is incorrect. Hashing the ID attribute does not necessarily ensure the security of the underlying table. Hashing is a one-way function that transforms input data into a fixed-size string of characters. It is commonly used to index and search data quickly. However, it does not provide any encryption or protection of the data. Anyone with access to the table can still read the ID attribute.
Option C (The above command ensures data encryption in transit for the Customer table): This statement is incorrect. The CLI command does not specify any options for enabling data encryption in transit. Therefore, it is not secure for data transmission.
Option D (The right throughput has been specified from a security perspective): This statement is partially correct. Provisioned throughput is an important consideration for security, as it can help prevent denial-of-service attacks by limiting the amount of read and write requests that can be made to the table. However, it does not address data protection or encryption directly.
Option B (The above command ensures data encryption at rest for the Customer table): This statement is correct. The command specifies the "--sse-specification Enabled=true" option, which enables server-side encryption for the table. This option encrypts all data at rest in the table, including the attribute values, as well as any local and global secondary indexes. This helps protect sensitive data from unauthorized access in the event of a security breach or data leak. Therefore, this option provides data encryption at rest for the Customer table, ensuring its security from this perspective.
