Network Isolation for DynamoDB with VPC Endpoint
DynamoDB is a fully managed NoSQL database service offered by Amazon Web Services (AWS). It is renowned for its scalability, dependability, and easy connection with other AWS services. Notwithstanding its manifold advantages, organizations continue to place a high premium on guaranteeing the security of data stored in DynamoDB.
By default, DynamoDB can be accessed over the public network using HTTPS, ensuring secure communication with SSL/TLS encryption.
However, the security implications of a DynamoDB table not being within a Virtual Private Cloud (VPC) are significant.
DynamoDB endpoints are publicly accessible, potentially exposing data to security risks like unauthorized access, data breaches, or malicious activities. Without the confinement of a VPC, traffic to and from DynamoDB traverses the public internet, increasing attack surface to external threats like Man in the Middle and others.
To enhance security and restrict access to DynamoDB within a VPC, you can create a VPC endpoint specifically for DynamoDB.
What Does a Virtual Private Cloud Endpoint Do?
A VPC endpoint is an Internet gateway, a virtual router that connects a VPC to the Internet.
VPC endpoint establishes a secure path for accessing DynamoDB from resources within the VPC, such as Amazon EC2 instances. Utilizing a VPC endpoint ensures traffic between the VPC and DynamoDB remains within the Amazon network, avoiding exposure to the public Internet.
This setup enhances security by providing a direct and secure connection to DynamoDB from resources within the VPC, protecting data confidentiality and integrity, and minimizing external risks.
Therefore, while DynamoDB does not require a VPC by default, utilizing a VPC endpoint offers a more secure and controlled environment for accessing DynamoDB within a Virtual Private Cloud.
How to create and a VPC endpoint for DynamoDB?
In this blog, we will be using AWS CLI command to Create and attach DynamoDB tables to VPC endpoints.
1. First create a DynamoDB tableCreating a DynamoDB table requires the user to define a few table keys or ‘AttributeName’ and their respective datatype / ‘KeyType ‘
The creation from CLI is as follows:
aws dynamodb create-table --table-name BookCollection --attribute-definitions AttributeName=Author,AttributeType=S AttributeName=BookTitle,AttributeType=S --key-schema AttributeName=Author,KeyType=HASH AttributeName=BookTitle,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
{ "TableDescription": {
"AttributeDefinitions": [
{
"AttributeName": "Author",
"AttributeType": "S"
},
{
"AttributeName": "BookTitle",
"AttributeType": "S" }
],
"TableName": "BookCollection",
"KeySchema": [
{
"AttributeName": "Author",
"KeyType": "HASH"
},
{
"AttributeName": "BookTitle",
"KeyType": "RANGE"
}
],
"TableStatus": "CREATING",
"CreationDateTime": "2024-03-08T19:09:31.124000-05:00",
"ProvisionedThroughput": {
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
},
"TableSizeBytes": 0,
"ItemCount": 0,
"TableArn": "arn:aws:dynamodb:us-east-2:AccountID:table/BookCollection",
"TableId": "cdf99136-8711-4201-8da6-eaa08360e993",
"DeletionProtectionEnabled": false
}
}
2. Create a VPC
To create an AWS VPC via the AWS CLI (Command Line Interface), you need to provide CIDR-block, tags, and name. Only CIDR-block is a mandatory field but adding a tag is a good practice. You need to specify the CIDR (Classless Inter-Domain Routing) block for your VPC. This is the range of IP addresses that will be available for instances within your VPC. For example, 10.0.0.0/16.
aws ec2 create-vpc –cidr-block 10.0.0.0/16
{
“Vpc”: { “CidrBlock”: “10.0.0.0/16”,
“DhcpOptionsId”: “dopt-de7ad8b5”,
“State”: “pending”,
“VpcId”: “vpc-0f8438e8802b03f4d”,
“OwnerId”: “AccountID”,
“InstanceTenancy”: “default”,
“Ipv6CidrBlockAssociationSet”: [],
“CidrBlockAssociationSet”: [
{
“AssociationId”: “vpc-cidr-assoc-07d3c05ec763e4d65”,
“CidrBlock”: “10.0.0.0/16”,
“CidrBlockState”: {
“State”: “associated”
}
}
],
“IsDefault”: false
}
}
How to Create a VPC Endpoint for DynamoDB as a Gate to the VPC
To create a VPC endpoint we need to provide pieces of information like VPC-id, service name, subnets security groups, and policy statement. But the two mandatory fields required are VPC ID (ID of the VPC in which you want to create the endpoint. The endpoint will be accessible only from within this VPC) and Service ID or name (name or ID of the AWS service for which you are creating the endpoint).
aws ec2 create-vpc-endpoint –vpc-id “vpc-0f8438e8802b03f4d” --service-name com.amazonaws.us-east-2.dynamodb
{
“VpcEndpoint”: {
“VpcEndpointId”: “vpce-0e80ababa387ece6f”,
“VpcEndpointType”: “Gateway”,
“VpcId”: “vpc-0f8438e8802b03f4d”,
“ServiceName”: “com.amazonaws.us-east-2.dynamodb”,
“State”: “available”,
“PolicyDocument”: “{\”Version\”:\”2008-10-17\”,\”Statement\”:[{\”Effect\”:\”Allow\”,\”Principal\”:\”*\”,\”Action\”:\”*\”,\”Resource\”:\”*\”}]}”,
“RouteTableIds”: [],
“SubnetIds”: [],
“Groups”: [],
“PrivateDnsEnabled”: false,
“RequesterManaged”: false,
“NetworkInterfaceIds”: [],
“DnsEntries”: [],
“CreationTimestamp”: “2024-03-09T00:14:00+00:00”,
“OwnerId”: “AccountID”
}
}
How to Enforce All Access to the DynamoDB Table is Done Via the Specified VPC Endpoint
To force traffic to go through the VPC we created, one must configure an IAM policy that allows the users to access DynamoDB through the VPC endpoint by using a “aws:sourceVpce” condition for the specified DyanmoDB actions.
The aws:sourceVpce condition key is used in IAM policies to control access based on the source VPC endpoint from which the request originates. When applied to DynamoDB VPC endpoints, this condition ensures that access to DynamoDB is only allowed from specific VPC endpoints, enhancing security and control over data access.
Below we will create a JSON file to allow the database instance to connect to the VPC endpoint created above.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow-DynamoDB-access-from-specific-endpoint",
"Effect": "Deny",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-east-2:AccountID:table/*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-0e80ababa387ece6f"
}
}
}
]
}
Note: make sure your recently created DynamoDB table/s is within the same region as your VPC. If you have global DynamoDB table/s, please specify list of VPC endpoints that will point to all the VPCs your DynamoDB table is globalized to. as follows:
"Condition": {
"StringEquals": {
"aws:sourceVpce": [ "vpce-xxxxregion1",
"vpce-xxxxregion2"
]
}
}
Create the policy from the JSON file above.
aws iam create-policy --policy-name vpcepolicy --policy-document file://policy.json
Attach this policy to a DynamoDB user or role (for multiple users) as follows
aws iam attach-user-policy --user-name dynauser --policy-arn arn:aws:iam::AccountID:policy/vpcepolicy
aws iam attach-role-policy --role-name dynarole --policy-arn arn:aws:iam::AccountID:policy/vpcepolicy
Once The policy is attached to a user or role, that user will access DynamoDB through VPC endpoint only.
Conclusion
Additional security best practices for DynamoDB include regularly rotating and managing IAM credentials for DynamoDB users, ensuring that access keys are not shared and are minimally privileged, using AWS CloudTrail and Amazon CloudWatch to monitor access and actions on your DynamoDB tables for auditing and real-time security analysis, using data at rest and on-transit encryption for DynamoDB tables and more.
Network isolation using VPC endpoint is an effective way to strengthen you DynamoDB security and prevent access from outside the designated VPC.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.