Platform: AWS
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | DynamoDB doesn't utilize API keys in the traditional sense. Access is managed solely through IAM. | |
| Authentication & Authorization | IAM Integration | True | DynamoDB integrates with AWS Identity and Access Management (IAM) allowing granular access control through policies and roles. | |
| Authentication & Authorization | MFA | True | Multi-Factor Authentication (MFA) is enforced at the IAM level, securing access to DynamoDB via IAM roles and users. | Applies to IAM users and roles. |
| Authentication & Authorization | Service Account Support | True | IAM roles can be used for service accounts to access DynamoDB with least privilege. | |
| Authentication & Authorization | Standard Protocols | True | DynamoDB uses AWS Signature Version 4 for authentication. | AWS Signature Version 4 |
| Compliance & Certifications | Compliance Documentation | True | AWS provides compliance reports and documentation for its services, including DynamoDB, on its website. | AWS website. |
| Compliance & Certifications | Industry Certifications | True | AWS DynamoDB is compliant with various industry standards and regulations; specific certifications vary by region and service. Refer to AWS's compliance documentation for details. | See AWS compliance documentation. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking or redaction must be implemented at the application level; DynamoDB doesn't offer this functionality directly. | Requires application-level implementation. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | DynamoDB itself doesn't offer built-in sensitive data scanning. This functionality requires integration with other AWS services like Amazon Macie. | Requires other AWS services. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data transfer between regions can be indirectly controlled through network configurations like VPC peering and security groups, and by restricting access to tables based on region-specific IAM policies. However, there isn't a direct, built-in mechanism within DynamoDB itself to prevent cross-region data transfers. | Requires careful configuration. |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides documentation and tools to identify the region where your DynamoDB tables and data reside. The AWS Management Console clearly displays the region for each resource. | |
| Data Residency & Sovereignty | Region Selection | True | DynamoDB allows you to specify the AWS region where your tables are created and data is stored. AWS offers multiple regions globally, allowing for compliance with data residency requirements. | |
| Encryption | Encryption at Rest | True | DynamoDB offers Server-Side Encryption (SSE) with AWS managed keys (SSE-AWS), customer managed keys (SSE-KMS), and customer provided keys (not directly supported but can be achieved via other AWS services). Key rotation is supported with KMS. | |
| Encryption | Encryption in Transit | True | DynamoDB uses TLS/SSL for encrypting data in transit between clients and the service. | |
| Logging & Monitoring | Access Logging | True | DynamoDB's access logs can be sent to CloudWatch Logs for analysis. | Requires CloudWatch Logs. |
| Logging & Monitoring | Audit Logging | True | AWS CloudTrail logs API calls made to DynamoDB. | Requires CloudTrail. |
| Logging & Monitoring | Log Retention | True | Log retention is managed through the CloudWatch Logs configuration. | CloudWatch Logs configuration. |
| Logging & Monitoring | Monitoring & Alerting | True | Amazon CloudWatch provides monitoring and alerting capabilities for DynamoDB metrics. | Requires CloudWatch. |
| Network Security | API Gateway Integration | True | Amazon API Gateway can be used in front of DynamoDB to add additional security layers and traffic management features. | |
| Network Security | DDoS Protection | True | DynamoDB benefits from the inherent DDoS protection offered by the AWS global infrastructure. | AWS infrastructure protection. |
| Network Security | Firewall Rules | True | Security groups and Network ACLs can control network access to DynamoDB instances within a VPC. | Via VPC Security Groups and Network ACLs. |
| Network Security | Private Access | True | DynamoDB can be accessed privately within a VPC using methods such as VPC endpoints. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | While not explicitly documented in detail, DynamoDB's design demonstrates adherence to common secure API design principles, such as least privilege access and secure authentication mechanisms. | Indirect evidence. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | AWS employs secure coding practices and security testing throughout its development lifecycle. Direct access to these processes for DynamoDB is not publicly available. | AWS responsibility, indirect evidence. |
| Vulnerability Management & Patching | Security Updates | True | AWS is responsible for patching and updating the underlying DynamoDB infrastructure. | AWS responsibility. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | AWS conducts regular security assessments and penetration testing of its services, including DynamoDB. Direct access to these results is typically not provided to customers. | AWS responsibility, indirect evidence. |