Is AWS DynamoDB available through Https/SSL and does it support SNI?

Question

Just getting started with DynamoDB from Amazon. I'm planning to have clients directly access DynamoDB thorugh an JS Clientside APP which is running over https.

Thus I was wondering whether DynamoDB is supporting SSL?

Are custom vanity domains (through CNAME and SNI Certificate like CloudFront) supportet as well?

Answer 1

This question raises many related questions for me; some answers I've found:

• Which version of SSL/TLS? AWS documents that DynamoDB uses TLS 1.2 or TLS 1.3 (the latter was added since this answer was first written): https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/network-isolation.html

• Is TLS required out of the box? (TL;DR: no) AWS doesn't document this, exactly. There are plain HTTP endpoints as well as HTTPS endpoints. It seems that HTTP is directly usable if requested, as the following AWS CLI command worked, gave the same output as HTTPS, and the debug logs indicated plain HTTP was used:

aws dynamodb --debug --endpoint-url http://dynamodb.us-east-1.amazonaws.com list-tables

• Can TLS be required by policy or configuration? (TL;DR: no) An answer to a related question indicates that it can be forced on the client side using an HTTPS endpoint URL. However, unlike S3 bucket policies which can require secure transport, there is no such thing as a "table policy" in DynamoDB. Moreover, there doesn't seem to be a relevant option for CreateTable and there doesn't seem to be a service-level configuration option, either.

As far as I can tell, this leaves the only options to absolutely guarantee encryption-in-transit as:

• Client-side configuration to force the use of an HTTPS endpoint URL, however any misconfigured client can trivially bypass this (so it's only "opportunistic encryption"); or
• Client-side encryption, i.e. you store only data you've explicitly encrypted using a key you manage (some libraries may assist with this, making it more transparent). This may impact the usability of your hash (partition) and/or range (sort) keys for serving queries.

As a final note, the part about vanity names is quite distinct in my opinion and should be asked separately. I would guess it isn't possible, though, because DynamoDB API requests have to be signed and the signature has to include the endpoint URL, however there's no way to configure DynamoDB to recognize endpoints other than the official ones.