Skip to content

5.2

Jump to bottom
Paul Duvall edited this page Jan 29, 2020 · 19 revisions

5.2 Encrypt a DynamoDB database using AWS CloudFormation

Review and ensure that you have setup your development environment before going through the steps below.

Create a KMS Key

View the existing KMS keys at the KMS Console.

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-5-kms.yml

Copy the contents from ceoa-5-kms.yml to your local ceoa-5-kms.yml file in Cloud9 and save it. This CloudFormation template references the IAM user you created in lesson 2 and creates a customer-managed KMS CMK.

Copy the CloudFormation CLI command below to launch the stack that creates a KMS Key.

aws cloudformation create-stack --stack-name ceoa-52-kms --template-body file:///home/ec2-user/environment/ceoa/ceoa-5-kms.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

View the CloudFormation stacks at the CloudFormation Console.

Verify the KMS key was created by going to the KMS Console.

Create an S3 Bucket with KMS Encryption

cd ~/environment/ceoa
touch ceoa-5-s3.yml

Copy the contents from ceoa-5-s3.yml to your local ceoa-5-s3.yml file in Cloud9 and save it. This CloudFormation template creates an Amazon S3 bucket and refers to an AWS-managed CMK.

Copy the CloudFormation CLI command below to launch the stack that creates an S3 Bucket with KMS encryption.

aws cloudformation create-stack --stack-name ceoa-5-s3 --template-body file:///home/ec2-user/environment/ceoa/ceoa-5-s3.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

View the CloudFormation stacks at the CloudFormation Console.

Verify the S3 Bucket was enabled with KMS encryption by going to the S3 Console.

Create an EBS Volume

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-5-ebs.yml

To get a list of AWS Availability Zones, type the following command:

aws ec2 describe-availability-zones

Copy the contents from ceoa-5-ebs.yml to your local ceoa-5-ebs.yml file in Cloud9 and save it. This CloudFormation template creates an encrypted Amazon EBS Volume bucket.

Copy the CloudFormation CLI command below to launch the stack that creates an EBS Volume with default encryption.

aws cloudformation create-stack --stack-name ceoa-5-ebs --template-body file:///home/ec2-user/environment/ceoa/ceoa-5-ebs.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback
  1. Once the ceoa-5-ebs CloudFormation stack is CREATE_COMPLETE, go to the EC2 Console.
  2. Click on Volumes.
  3. Select the checkbox next to ceoa-5-2-encrypted EBS volume the CloudFormation stack launched and verify the Encryption property in the Description tab is in the Encrypted state.

Create a DynamoDB Table

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-5-ddb.yml

Copy the contents below into the file and save it.

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      SSESpecification:
        KMSMasterKeyId: alias/aws/dynamodb
        SSEEnabled: true
        SSEType: KMS
      AttributeDefinitions:
      - AttributeName: Album
        AttributeType: S
      - AttributeName: Artist
        AttributeType: S
      - AttributeName: Sales
        AttributeType: N
      - AttributeName: NumberOfSongs
        AttributeType: N
      KeySchema:
      - AttributeName: Album
        KeyType: HASH
      - AttributeName: Artist
        KeyType: RANGE
      ProvisionedThroughput:
        ReadCapacityUnits: 5
        WriteCapacityUnits: 5
      TableName:
        Ref: AWS::StackName
      GlobalSecondaryIndexes:
      - IndexName: myGSI
        KeySchema:
        - AttributeName: Sales
          KeyType: HASH
        - AttributeName: Artist
          KeyType: RANGE
        Projection:
          NonKeyAttributes:
          - Album
          - NumberOfSongs
          ProjectionType: INCLUDE
        ProvisionedThroughput:
          ReadCapacityUnits: 5
          WriteCapacityUnits: 5
      - IndexName: myGSI2
        KeySchema:
        - AttributeName: NumberOfSongs
          KeyType: HASH
        - AttributeName: Sales
          KeyType: RANGE
        Projection:
          NonKeyAttributes:
          - Album
          - Artist
          ProjectionType: INCLUDE
        ProvisionedThroughput:
          ReadCapacityUnits: 5
          WriteCapacityUnits: 5
      LocalSecondaryIndexes:
      - IndexName: myLSI
        KeySchema:
        - AttributeName: Album
          KeyType: HASH
        - AttributeName: Sales
          KeyType: RANGE
        Projection:
          NonKeyAttributes:
          - Artist
          - NumberOfSongs
          ProjectionType: INCLUDE

Copy the CloudFormation CLI command below to launch the stack that creates DynamoDB table with default encryption.

aws cloudformation create-stack --stack-name ceoa-5-ddb --template-body file:///home/ec2-user/environment/ceoa/ceoa-5-ddb.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

View the CloudFormation stacks at the CloudFormation Console.

Go to the DynamoDB console and verify KMS encryption is enabled for the table.

Clone this wiki locally