Why is my encrypted DynamoDB failing the AWS DynamoDB Table Encryption policy in Panther?
You have a DynamoDB table that shows as encrypted in AWS, but Panther alerts you that it failed to pass the AWS DynamoDB Table Encryption policy.
To resolve this issue:
- Check the Alert to see if the DynamoDB table contains the
- If the field is not present, then the issue is due to changes to AWS's default settings for DynamoDB tables. You can safelt ignore this alert. See Cause below for more information.
- If the field is present, check the value of
SSEDescription.Status. This should be Enabled. If it is anything else, then the policy will fail, and you'll need to investigate why the value is different.
AWS recently changed their settings so that DynamoDB tables are now encrypted by default. For such tables, the
SSEDescription field isn't present. Since the Panther-provided policy relies on that field to check for encryption, it will fail any resources which don't have it.