Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Network Isolation for DynamoDB with VPC Endpoint

DynamoDB is a fully managed NoSQL database service offered by Amazon Web Services (AWS). It is renowned for its scalability, dependability, and easy connection with other AWS services. Notwithstanding its manifold advantages, organizations continue to place a high premium on guaranteeing the security of data stored in DynamoDB.

By default, DynamoDB can be accessed over the public network using HTTPS, ensuring secure communication with SSL/TLS encryption.

However, the security implications of a DynamoDB table not being within a Virtual Private Cloud (VPC) are significant.

DynamoDB endpoints are publicly accessible, potentially exposing data to security risks like unauthorized access, data breaches, or malicious activities. Without the confinement of a VPC, traffic to and from DynamoDB traverses the public internet, increasing attack surface to external threats like Man in the Middle and others.

To enhance security and restrict access to DynamoDB within a VPC, you can create a VPC endpoint specifically for DynamoDB. 

 

What Does a Virtual Private Cloud Endpoint Do?

A VPC endpoint is an Internet gateway, a virtual router that connects a VPC to the Internet.

VPC endpoint establishes a secure path for accessing DynamoDB from resources within the VPC, such as Amazon EC2 instances. Utilizing a VPC endpoint ensures traffic between the VPC and DynamoDB remains within the Amazon network, avoiding exposure to the public Internet.

This setup enhances security by providing a direct and secure connection to DynamoDB from resources within the VPC, protecting data confidentiality and integrity, and minimizing external risks.

Therefore, while DynamoDB does not require a VPC by default, utilizing a VPC endpoint offers a more secure and controlled environment for accessing DynamoDB within a Virtual Private Cloud.

 

How to create and a VPC endpoint for DynamoDB?

In this blog, we will be using AWS CLI command to Create and attach DynamoDB tables to VPC endpoints.

1. First create a DynamoDB table

Creating a DynamoDB table requires the user to define a few table keys or ‘AttributeName’ and their respective datatype / ‘KeyType ‘

The creation from CLI is as follows:

aws dynamodb create-table --table-name BookCollection --attribute-definitions AttributeName=Author,AttributeType=S AttributeName=BookTitle,AttributeType=S --key-schema AttributeName=Author,KeyType=HASH AttributeName=BookTitle,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5

{

   "TableDescription": {

       "AttributeDefinitions": [

           {

               "AttributeName": "Author",

               "AttributeType": "S"

           },

           {

               "AttributeName": "BookTitle",

                "AttributeType": "S"

           }

       ],

       "TableName": "BookCollection",

       "KeySchema": [

           {

               "AttributeName": "Author",

               "KeyType": "HASH"

           },

           {

               "AttributeName": "BookTitle",

               "KeyType": "RANGE"

           }

       ],

       "TableStatus": "CREATING",

       "CreationDateTime": "2024-03-08T19:09:31.124000-05:00",

       "ProvisionedThroughput": {

           "NumberOfDecreasesToday": 0,

           "ReadCapacityUnits": 5,

           "WriteCapacityUnits": 5

       },

       "TableSizeBytes": 0,

       "ItemCount": 0,

       "TableArn": "arn:aws:dynamodb:us-east-2:AccountID:table/BookCollection",

       "TableId": "cdf99136-8711-4201-8da6-eaa08360e993",

       "DeletionProtectionEnabled": false

   }

}

 

2. Create a VPC

To create an AWS VPC via the AWS CLI (Command Line Interface), you need to provide CIDR-block, tags, and name. Only CIDR-block is a mandatory field but adding a tag is a good practice. You need to specify the CIDR (Classless Inter-Domain Routing) block for your VPC. This is the range of IP addresses that will be available for instances within your VPC. For example, 10.0.0.0/16.

aws ec2 create-vpc –cidr-block 10.0.0.0/16

 

{

   “Vpc”: {

       “CidrBlock”: “10.0.0.0/16”,

       “DhcpOptionsId”: “dopt-de7ad8b5”,

       “State”: “pending”,

       “VpcId”: “vpc-0f8438e8802b03f4d”,

       “OwnerId”: “AccountID”,

       “InstanceTenancy”: “default”,

       “Ipv6CidrBlockAssociationSet”: [],

       “CidrBlockAssociationSet”: [

           {

               “AssociationId”: “vpc-cidr-assoc-07d3c05ec763e4d65”,

               “CidrBlock”: “10.0.0.0/16”,

               “CidrBlockState”: {

                   “State”: “associated”

               }

           }

       ],

       “IsDefault”: false

   }

}

 

 

How to Create a VPC Endpoint for DynamoDB as a Gate to the VPC

To create a VPC endpoint we need to provide pieces of information like VPC-id, service name, subnets security groups, and policy statement. But the two mandatory fields required are VPC ID (ID of the VPC in which you want to create the endpoint. The endpoint will be accessible only from within this VPC) and Service ID or name (name or ID of the AWS service for which you are creating the endpoint).

aws ec2 create-vpc-endpoint –vpc-id “vpc-0f8438e8802b03f4d” --service-name com.amazonaws.us-east-2.dynamodb

 

{

   “VpcEndpoint”: {

       “VpcEndpointId”: “vpce-0e80ababa387ece6f”,

       “VpcEndpointType”: “Gateway”,

       “VpcId”: “vpc-0f8438e8802b03f4d”,

       “ServiceName”: “com.amazonaws.us-east-2.dynamodb”,

       “State”: “available”,

       “PolicyDocument”: “{\”Version\”:\”2008-10-17\”,\”Statement\”:[{\”Effect\”:\”Allow\”,\”Principal\”:\”*\”,\”Action\”:\”*\”,\”Resource\”:\”*\”}]}”,

       “RouteTableIds”: [],

       “SubnetIds”: [],

       “Groups”: [],

       “PrivateDnsEnabled”: false,

       “RequesterManaged”: false,

       “NetworkInterfaceIds”: [],

       “DnsEntries”: [],

       “CreationTimestamp”: “2024-03-09T00:14:00+00:00”,

       “OwnerId”: “AccountID”

   }

}

 

 

How to Enforce All Access to the DynamoDB Table is Done Via the Specified VPC Endpoint

To force traffic to go through the VPC we created, one must configure an IAM policy that allows the users to access DynamoDB through the VPC endpoint by using a “aws:sourceVpce” condition for the specified DyanmoDB actions.

The aws:sourceVpce condition key is used in IAM policies to control access based on the source VPC endpoint from which the request originates. When applied to DynamoDB VPC endpoints, this condition ensures that access to DynamoDB is only allowed from specific VPC endpoints, enhancing security and control over data access.

Below we will create a JSON file to allow the database instance to connect to the VPC endpoint created above.

{

"Version": "2012-10-17",

   "Statement": [

       {

           "Sid": "Allow-DynamoDB-access-from-specific-endpoint",

           "Effect": "Deny",

           "Action": "dynamodb:*",

           "Resource": "arn:aws:dynamodb:us-east-2:AccountID:table/*",

           "Condition": {

               "StringNotEquals": {

                   "aws:sourceVpce": "vpce-0e80ababa387ece6f"

               }

           }

       }

   ]

}

 

Note: make sure your recently created DynamoDB table/s is within the same region as your VPC. If you have global DynamoDB table/s, please specify list of VPC endpoints that will point to all the VPCs your DynamoDB table is globalized to. as follows:

"Condition": {

               "StringEquals": {

                   "aws:sourceVpce": [

                       "vpce-xxxxregion1",

                       "vpce-xxxxregion2"

                   ]

               }

 

Create the policy from the JSON file above.

aws iam create-policy --policy-name vpcepolicy --policy-document file://policy.json

 

Attach this policy to a DynamoDB user or role (for multiple users) as follows

aws iam attach-user-policy --user-name dynauser --policy-arn arn:aws:iam::AccountID:policy/vpcepolicy

aws iam attach-role-policy --role-name dynarole --policy-arn arn:aws:iam::AccountID:policy/vpcepolicy

 

Once The policy is attached to a user or role, that user will access DynamoDB through VPC endpoint only.

 

Conclusion

Additional security best practices for DynamoDB include regularly rotating and managing IAM credentials for DynamoDB users, ensuring that access keys are not shared and are minimally privileged, using AWS CloudTrail and Amazon CloudWatch to monitor access and actions on your DynamoDB tables for auditing and real-time security analysis, using data at rest and on-transit encryption for DynamoDB tables and more.

Network isolation using VPC endpoint is an effective way to strengthen you DynamoDB security and prevent access from outside the designated VPC.

 

Latest SpiderLabs Blogs

Cloudy with a Chance of Hackers: Protecting Critical Cloud Workloads

If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things...

Read More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More