In this edition of the Financial Services Industry (FSI) Services Spotlight, we delve into five essential factors for organizations leveraging Amazon DynamoDB: compliance achievement, data protection, compute environment isolation, API auditing, and security/access control. Each aspect will be explored with tailored guidance, reference architectures, and technical code to facilitate the approval of Amazon DynamoDB services.
DynamoDB is recognized as a high-speed and adaptable NoSQL database service suitable for any scale. It alleviates the administrative complexities associated with operating and scaling distributed databases, allowing users to avoid concerns such as hardware provisioning, setup, configuration, throughput planning, replication, and software maintenance. As a result, organizations can deploy a NoSQL database in just minutes. DynamoDB automatically adjusts throughput capacity based on workload demands and manages data partitions as table size increases. Moreover, it synchronously replicates data across three availability zones within an AWS Region, ensuring both high availability and data durability.
Supporting both key-value and document data models, DynamoDB offers a flexible schema, permitting varied column counts for each row at any time. This flexibility allows businesses to adapt their tables in response to changing requirements without the need to redefine the table schema as is necessary in traditional relational databases. Data is stored in partitions backed by solid-state drives (SSDs), with partition management completely handled by DynamoDB. This seamless management enables the system to scale to over 10 trillion requests daily, with peak demands exceeding 20 million requests per second, across vast storage capacities. Furthermore, DynamoDB Accelerator (DAX) acts as an in-memory cache, enhancing read performance by up to 10 times, reducing read times from milliseconds to microseconds, even under heavy loads.
DynamoDB’s global tables automatically replicate data across selected AWS Regions, allowing globally distributed applications to access data locally, resulting in single-digit millisecond read and write performance. This design also guards against regional failures with zero Recovery Time Objective (RTO) and near-zero Recovery Point Objective (RPO).
DynamoDB maintains consistent performance across all scales, meaning no refactoring is necessary as data volumes increase. Built for mission-critical applications, it supports atomicity, consistency, isolation, and durability (ACID) transactions for complex business logic needs. Security is paramount, with data encryption and continuous backups ensuring protection, alongside a robust service level agreement.
Numerous FSI clients are currently utilizing Amazon DynamoDB for various applications. For instance, PayCorp transitioned from Microsoft SQL Server to Amazon DynamoDB, empowering them to create flexible, reusable microservices that segment data utilizing DynamoDB as a serverless data store. This transition allowed PayCorp to handle a 50–75% annual growth in data volume, supported by a more adaptable cost model that favors on-demand purchasing rather than hefty capital investments in hardware and software.
Similarly, HomeGuard, an insurance provider operating across 33 states, sought to modernize its technology stack with cloud-native solutions through AWS in 2019. Aiming to streamline development processes, HomeGuard adopted DynamoDB, which significantly reduced product development timelines from months to just 24 hours, enabling weekly or even daily feature releases.
Achieving Compliance
Compliance and security are shared responsibilities between AWS and its customers. AWS manages the infrastructure for AWS services while customers must configure their services accordingly. With Amazon DynamoDB being a managed service, customers shoulder fewer compliance burdens for secure transactional workloads. Customers should assess their network connectivity, encryption, and access requirements concerning other AWS resources. For further insights into compliance, you can read this another blog post.
DynamoDB adheres to various compliance programs, ensuring customers can meet stringent regulatory standards, including:
- SOC 1, 2, 3
- PCI
- ISMAP
- FedRAMP Moderate (E/W) and FedRAMP High (GovCloud)
- DoD CC SRG IL2 through IL6
- HIPAA BAA
- IRAP
- MTCS
- C5
- K-ISMS
- ENS High
- OSPAR
- HITRUST CSF
- FINMA
- GSMA
- PiTuKri
Logging and Auditing
AWS CloudTrail allows users to log control plane and data plane activity on DynamoDB tables. This enables precise monitoring of all item interactions within a table. Control plane activities include creating or deleting tables, while data plane activities encompass actions like adding or retrieving items. Database administrators and security professionals can utilize this information for audits, as each event carries critical metadata such as the actor, timestamp, and affected resources. Events are formatted in JSON and stored in CloudTrail log files, and you can find sample event JSON files here.
Data Protection
At AWS, security is paramount. DynamoDB ensures user data is encrypted both at rest and in transit.
Encryption At Rest
Encryption at rest is vital for regulatory compliance, guaranteeing that only authorized principals can access sensitive data stored with a valid key. DynamoDB employs 256-bit Advanced Encryption Standard (AES-256) for data encryption. When accessing an encrypted table, DynamoDB transparently decrypts the data, ensuring minimal performance impact without requiring application modifications.
On-demand backups are secured with the table-level encryption key specified during backup creation. Updating this key does not alter the encryption key used for existing backups.
When establishing a new table, you can select from various AWS Key Management Service (KMS) keys for encryption. Financial services customers frequently opt for customer-managed keys to enhance control over their data security. For more insights on this topic, check out this authoritative resource.
For those seeking more information about Amazon services, this Reddit thread is an excellent resource for beginners.
Leave a Reply