2 min read

Secure AWS BYOK Service for DynamoDB

Secure AWS BYOK Service for DynamoDB

In this article we will explain what AWS DynamoDB does and how Cryptomathic's AWS BYOK Service is an option for providing secure key management as a service when using it.

Launched in 2012, Amazon DynamoDB is promoted as a “fast, flexible NoSQL database service for single-digit millisecond performance at any scale.” DynamoDB supports both key-value and document data models. It is designed to run high-performance, internet-scale applications that would typically be too intensive for what are considered traditional relational databases.

Because it is serverless, the need to provision, patch, or manage servers is eliminated and there is no need to install software. DynamoDB automatically scales tables without administration to adjust for capacity.

DynamoDB is unique in that it is a key-value and document database that is capable of supporting tables of any size with horizontal scaling. Each row can contain any number of columns at any time. This allows the user to quickly adapt the tables as their needs change without needing to redefine the table’s schema, which would be needed with a relational database. DynamoDB is capable of scaling to more than 10 trillion requests per day, with peaks of more than 20 million requests per second over storage capacities of petabytes.

DynamoDB provides:

  • Built-in security
  • Continuous backups
  • In-memory caching
  • Automated multi-region replication
  • Data export tools

DynamoDB exports, analyzes and streams data to integrate with other AWS services. For example, integrating with other AWS services by performing analytics and extracting insight and monitoring trends for enhanced security.

DynamoBD can be integrated with:

  • Amazon S3
  • AWS Glue Elastic Views
  • Amazon Kinesis Data Streams
  • Amazon CloudTrail
  • Amazon CloudWatch

Cryptomathic’s Secure BYOK Service for AWS DynamoDB

Cryptomathic’s approach to “bring your own key” (BYOK) is along the lines of “manage your own key (MYOK)” where keys are managed throughout their entire life cycles from creation to destruction. The BYOK root key is generated and stored within a cloud-based FIPS 140-2 Level 3 HSM. When used for AWS services like DynamoDB, the user’s application key is stored on an AWS HSM. However, the root key remains under control of Cryptomathic’s AWS BYOK Service, where it is secured, managed, and protected - unaccessible to 3rd parties.

New call-to-action

Blending Security and Ease of Use

In the past, industry-grade security was requiring local data centers and sophisticated infrastructure.

To disrupt this, Cryptomathic has applied its decades-long experience of pioneering cybersecurity infrastructure for governments and banks.

Intertwining Cryptomathic Key Management Technology with the AWS infrastructure allows to offer the best of two worlds:

  • Industry-grade security
    • Cryptomathic’s key management expertise to securely manage the life-cycle of root key (key encryption keys KEK)
    • Compliance with industry-standards such as GDPR, HIPAA, PCI-DSS and more
    • Auditability and documented compliance through downloadable reports (information and logging on system, keys, changes with time stamp)
    • Operation out of EU in a SOC 2 data center
  • Ease of use
    • On-demand subscription model
    • Easy and rapid ramp up and deployment of the solution
    • Comfortable easy-to-use user interface
    • No long-term binding contracts

Advantage of Using Cryptomathic’s AWS BYOK Service with DynamoDB

Cryptomathic’s AWS BYOK Service is designed in such a way that no one can retrieve users' plaintext keys for the service. The plaintext keys are never written to the disk. Instead, they are used only in volatile memory in the HSMs. When important keys are in AWS DynamoDB, the user maintains a secure copy where it can be re-imported when needed.

Available as an on-demand service, Cryptomathic's AWS BYOK provides the highest level of control over the permissions and lifecycle of the users’ keys. AWS DynamoDB provides users with scalability of their databases while Cryptomathic allows for automatic scaling for managing multiple keys and using when needed to keep keys secure.


New call-to-action