AWS Adds Encryption Functionality to NoSQL Database Service
Amazon Web Services Inc. (AWS) -- the subject of multiple data exposure reports recently -- has beefed up the security of its Amazon DynamoDB NoSQL database service by adding encryption at rest functionality.
AWS last year was repeatedly mentioned in a series of reports that found private data left exposed, primarily on its S3 storage buckets, and primarily because of user configuration errors caused by organizations not following best practices espoused by the cloud giant and other security experts.
However, security problems related to exposed data stores are widespread, with a May 2017 study from RedLock Inc. finding most hosted databases remained unencrypted, among many other problems.
"Shockingly, the team determined that 82 percent of databases in public cloud computing environments such as Amazon Relational Database Service and Amazon RedShift are not encrypted," RedLock said.
In the wake of such reports, AWS has been paying more attention to getting the word out about the need to encrypt data stores on its cloud infrastructure, with CTO Werner Vogels advising users to "Dance like nobody is watching, and to encrypt like everyone is" at the company's AWS re:Invent 2017 conference.
AWS has also been stepping up its published data protection guidance and enacting new security controls, with the latest being the new DynamoDB encryption at rest capabilities.
"Today we are giving you another data protection option with the introduction of encryption at rest for Amazon DynamoDB," AWS spokesperson Jeff Barr said in a Feb. 8 blog post. "You simply enable encryption when you create a new table and DynamoDB takes care of the rest. Your data (tables, local secondary indexes, and global secondary indexes) will be encrypted using AES-256 and a service-default AWS Key Management Service (KMS) key."
Amazon DynamoDB is described as a fast, flexible NoSQL database service with high scaling capabilities, a pay-as-you-go pricing model and the promise of consistent, single-digit millisecond latency. According to Barr, the new encryption option doesn't affect that promised latency.
"The encryption adds no storage overhead and is completely transparent; you can insert, query, scan, and delete items as before," Barr said. "The team did not observe any changes in latency after enabling encryption and running several different workloads on an encrypted DynamoDB table."
The new feature is available now in the US East (N. Virginia), US East (Ohio), US West (Oregon) and EU (Ireland) Regions with extra no charge for use, though users will be charged for the calls that DynamoDB makes to AWS KMS.
David Ramel is the editor of Visual Studio Magazine.