
Amazon DynamoDB encrypts all customer data at rest - petercooper
https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-dynamodb-encrypts-all-customer-data-at-rest/
======
ejcx
So much cloud encryption is a total checkbox. As a security professional I
sometimes don't have a clear threat model that the magic crypto is meant for.

~~~
jnwatson
Yeah i’m confused as to the threat model. It isn’t like they ship hard drives
around.

It is like taping the key above the door lock. Access control to the door is
the important part.

~~~
azurezyq
With encryption at rest, you can basically make sure data can only be accessed
from the main interface. Otherwise there are multiple ways to let data leak,
e.g., sys admins, decommissioned disks, or other tools.

~~~
ec109685
Sys admins would have access regardless if they were evil enough.

~~~
smueller1234
It's entirely feasible to mitigate a lot of that insider risk. You have to
pick the convenience/risk reduction trade off, though. For example, it may
make sense to disallow any unilateral access, and only allow signed, reviewed
code to run. There doesn't have to be a single entity with universal root.

In such an environment, encryption at rest can come in handy because it
mitigates some of the physical attack vectors.

~~~
ec109685
It definitely helps for physical attack vectors.

------
gravypod
In AWS' HIPAA compliance docs they recommend not relying on their managed
encryption services as they currently protect you from a legal standpoint but
may not in the future (at least for RDS). Is AWS altering those guidelines and
now going to say their encryption is good enough?

~~~
joelhaasnoot
Isn't this true in general? This protects against someone walking into the
datacenter and stealing a harddrive (which is Amazon's responsibility anyway).

If you want to be sure the data is encrypted, store encrypted
values/blobs/files/etc is generally Amazon's stance (for instance, for S3).
For S3 they call this "client side encryption".

------
raghava
I might be missing something, but wasn't this (=> encryption at rest) the case
always, and why this post only now?

Also, the cautionary note, as given
[https://docs.aws.amazon.com/amazondynamodb/latest/developerg...](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.howitworks.html)

"You should ensure you have configured the SDK to reuse connections. Otherwise
you will experience latencies from DynamoDB having to re-establish new KMS
cache entries for each DynamoDB operation, and potentially have to face higher
KMS and Cloudtrail costs. For example, to do this using the Node.js SDK, you
can create a new https agent with keepAlive turned on. "

~~~
nostrebored
That data is encrypted in-flight

~~~
jiveturkey
we call that in-transit.

at-rest, in-transit, in-use

------
romed
I guess I assumed all data at AWS was encrypted at rest. Disturbing if not.
Compare:

[https://cloud.google.com/security/encryption-at-
rest/default...](https://cloud.google.com/security/encryption-at-rest/default-
encryption/)

------
wanghq
How to do range query if the sort/range keys are encrypted?

[https://docs.aws.amazon.com/amazondynamodb/latest/APIReferen...](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Query.html)

~~~
guitarbill
well, the term is at rest. so an index in memory is probably not encrypted,
just as they decrypt the data to be send over the wire (also encrypted, e.g.
via HTTPS, which I think the SDK uses under the hood).

this isn't a big deal since sensitive/user data usually is a terrible choice
for a key. (you get hot spots.) but i'm sure there's someone out there using
SSNs as a key...

------
winrid
So how do they do aggregations then?

~~~
erik_seaberg
They don't; DynamoDB is a partitioned document store. You can query for a
range of a sorted key but it just gives you the documents in that range. And
I'm a little fuzzy on KMS but I believe the entire table is encrypted with one
key, so if they could do SUM(x) GROUP BY y if they wanted to take the scaling
hit.

------
redwood
Odd this only happened now...

