I have a field called "Pin" in DynamoDB which is sensitive information and can be used by users to perform certain actions. It isn't a password though and we do need to display the value of the "Pin" on the UI if the user asks for it (so hashing doesn't work).

I understand DynamoDB is encrypted at rest. The question is should I be encrypting this value before storing it in the DDB and decrypting it before sending it back? Is there a point of doing that?

Anything else I should be doing here?

CodePudding user response：

@paulsm4 already mentions a few valid points in his comment, let me expand on that.

The question is what you want to protect yourself against.

If you have a requirement to protect against somebody stealing the SSDs the data is stored on being able to read the data or any other kind of regulation that forces you to do encryption at rest, encryption at rest is sufficient.

If you want to protect yourself against your AWS admins being able to read the data in the table while still being able to manage the table itself, you can add explicit deny statements for dynamodb:Get*, dynamodb:Query, dynamodb:Scan and dynamodbBatchGetItem to their roles.

If you want to have an extra level of security on this particular attribute, you can encrypt it using symmetric encryption before writing it and decrypt it before you display it to your users. You can use KMS to do that. This way your admins could read the table but would only see the encrypted PIN. In order to decrypt that, they would need access to the key that was used to encrypt that particular field.

In this case you have to ensure that only your software is allowed to access the key to encrypt/decrypt the PIN and enforces appropriate authorization mechanisms to stop unauthorized users from decrypting the data.