When doing research on one of Amazon Web Services's newer database offerings, Amazon Quantum Ledger Database, we discovered inconsistent and misleading encryption status reported via AWS APIs and the CLI for Amazon QLDB.
The encryption status for Amazon QLDB that was returned via the DescribeLedger calls could be misleading for compliance and security reasons. Accurate security depends on accurate reporting and visibility into configuration and state of data resources. In the case of Amazon QLDB and data security, misleading encryption status could lead to false positives and AWS customers believing their QLDB Ledgers to be unencrypted when in fact their Ledgers are encrypted.
The short summary:
We reported this to AWS Security in February 2024 and they're working on a documentation update.
Update: As of February 26th, 2024, AWS has completed their updates to the Amazon QLDB Developer Guide Documentation with our recommended clarifications. Thanks to the AWS team for the quick responses and collaboration.
When using the CLI or Amazon APIs to describe QLDB Ledgers and their encryption configuration, we observed the 2 following scenarios:
Both of these are misleading for the following reasons:
Amazon Quantum Ledger Database (Amazon QLDB) is a fully managed ledger database provided by AWS. All data stored in Amazon QLDB is fully encrypted at rest by default using encryption keys in AWS Key Management Service (KMS). QLDB permits use of either an AWS owned key or a customer managed key.
Note: Amazon QLDB launched support for customer managed AWS Keys in July of 2021. Ledgers created prior to that date are protected by AWS owned keys by default.
With Amazon QLDB, the only way to retrieve encryption information about a QLDB Ledger is the `DescribeLedger` API call. This returns a LedgerEncryptionDescription Object including the "current status, the AWS KMS Key, and when the key became inaccessible (in the case of an error)".
To check encryption status, we first create a QLDB Ledger. This can be done either via AWS Console or programmatically. In this case, we create it programmatically via the AWS CLI:
Note that a ledger encrypted with an AWS Owned KMS Key can be created 2 ways: with the --kms-key value set to AWS_OWNED_KMS_KEY or left as undefined. By default, the creation of a ledger will use an Amazon Web Services owned KMS key.
Now, when we describe this ledger (and tested with both creation options of having a --kms-key value set to AWS_OWNED_KMS_KEY as well as undefined), we get the following:
Note in both these responses, there is no response for EncryptionDescription and the included fields: EncryptionStatus and KmsKeyArn. Those fields exist when describing a QLDB with a customer managed AWS Key.
Let's now update QLDB's encryption from a customer managed AWS Key to a AWS-owned KMS key. This can be done with the UpdateLedger API call. Describing a Ledger in the process of updating Encryption Status results in the following:
The "AWS_OWNED_KMS_KEY" is inconsistent and undocumented for the specific DescribeLedger CLI response.
We have shown the following 2 undocumented observations regarding encryption state of QLDB Ledgers:
We are always looking to provide clarity on cloud data security and proper data asset management. The following steps can be taken to improve security.
If you have comments or questions about cloud data security, we're here to help. Reach out to our team!
Below are screenshot's of AWS's updated documentation with the clarifications for the above findings. Clarifications are highlighted in red.