HIGH cryptographic failuresfastapidynamodb

Cryptographic Failures in Fastapi with Dynamodb

Scan for cryptographic failures in fastapi

Cryptographic Failures in Fastapi with Dynamodb — how this specific combination creates or exposes the vulnerability

Cryptographic Failures occur when data is not adequately protected in transit or at rest, leading to exposure or tampering of sensitive information. The combination of FastAPI and DynamoDB can inadvertently introduce such weaknesses if cryptographic controls are not consistently applied across the application and database layers.

In FastAPI, endpoints that accept or return sensitive data (such as authentication tokens, personal identifiable information, or payment details) must enforce transport-layer encryption via HTTPS. If TLS is not mandatory or if mixed content is allowed, credentials or payloads can be intercepted. Further, application-level cryptography is required when data must remain confidential in storage within DynamoDB. Storing plaintext secrets, predictable keys, or using weak algorithms (e.g., MD5, SHA1) for hashing or signing violates secure cryptographic practices.

DynamoDB itself does not manage encryption keys for your data by default if you rely on AWS KMS customer managed keys; if key policies are misconfigured, unauthorized services or principals might gain access. Additionally, if your FastAPI code performs cryptographic operations (e.g., signing tokens, encrypting fields) with hardcoded or poorly managed keys, an attacker who compromises the application layer can recover or forge privileged data. Common mistakes include using static initialization vectors, skipping integrity checks (e.g., omitting authentication tags), or not rotating keys, which increases the blast radius of a key exposure.

Another subtle risk arises from how DynamoDB handles data at rest and in logs. If your FastAPI application logs sensitive payloads or stack traces to CloudWatch without masking, cryptographic protections are undermined. Also, failing to use envelope encryption for large datasets or not validating ciphertexts before decryption can lead to padding oracle attacks or plaintext recovery. The interplay between FastAPI routing/middleware and DynamoDB’s SDK behavior means cryptographic errors can propagate silently, making thorough scanning essential to identify misconfigurations and missing controls.

Dynamodb-Specific Remediation in Fastapi — concrete code fixes

To mitigate Cryptographic Failures when using FastAPI with DynamoDB, enforce HTTPS, use strong algorithms, and handle keys securely. Below are concrete, working code examples for FastAPI routes that store and retrieve encrypted data in DynamoDB using envelope encryption with AWS KMS and the AWS SDK for Python (Boto3).

Enforce HTTPS and secure transport

Configure FastAPI to require HTTPS in production. Use middleware to redirect HTTP to HTTPS and set secure headers.

from fastapi import FastAPI, Request, Security
from fastapi.middleware.httpsredirect import HTTPSRedirectMiddleware

app = FastAPI()
app.add_middleware(HTTPSRedirectMiddleware)

Encrypt/decrypt helper using AWS KMS and envelope encryption

Use KMS to generate a data key, encrypt the plaintext locally, then store ciphertext alongside the encrypted data key in DynamoDB. This limits exposure of KMS keys and allows fine-grained access control.

import base64
import os
from typing import Tuple
import boto3
from cryptography.hazmat.primitives.ciphers.aead import AESGCM

KMS_KEY_ID = "arn:aws:kms:us-east-1:123456789012:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

def encrypt_data(plaintext: bytes) -> Tuple[bytes, bytes]:
    kms = boto3.client("kms", region_name="us-east-1")
    response = kms.generate_data_key(KeyId=KMS_KEY_ID, KeySpec="AES_256")
    plaintext_key = response["Plaintext"]
    encrypted_key = response["CiphertextBlob"]
    nonce = os.urandom(12)
    aesgcm = AESGCM(plaintext_key)
    ciphertext = aesgcm.encrypt(nonce, plaintext, associated_data=None)
    return ciphertext, encrypted_key, nonce

def decrypt_data(ciphertext: bytes, encrypted_key: bytes, nonce: bytes) -> bytes:
    kms = boto3.client("kms", region_name="us-east-1")
    response = kms.decrypt(CiphertextBlob=encrypted_key)
    plaintext_key = response["Plaintext"]
    aesgcm = AESGCM(plaintext_key)
    return aesgcm.decrypt(nonce, ciphertext, associated_data=None)

Secure DynamoDB write with encrypted fields

Store only encrypted values and the encrypted data key in DynamoDB. Never store plaintext secrets. Use strongly-typed models and avoid logging raw payloads.

import boto3
from pydantic import BaseModel
import json

dynamodb = boto3.resource("dynamodb", region_name="us-east-1")
table = dynamodb.Table("secure_items")

class SecureItem(BaseModel):
    item_id: str
    sensitive_field: bytes  # encrypted
    encrypted_key: bytes    # encrypted data key
    nonce: bytes            # stored alongside ciphertext

    def save(self):
        table.put_item(
            Item={
                "item_id": self.item_id,
                "sensitive_field": self.sensitive_field,
                "encrypted_key": self.encrypted_key,
                "nonce": self.nonce,
            }
        )

@app.post("/items/")
def create_item(payload: dict):
    plaintext = payload["secret"].encode("utf-8")
    ciphertext, encrypted_key, nonce = encrypt_data(plaintext)
    item = SecureItem(
        item_id=payload["id"],
        sensitive_field=ciphertext,
        encrypted_key=encrypted_key,
        nonce=nonce,
    )
    item.save()
    return {"status": "stored"}

Secure DynamoDB read with decryption

Retrieve items and decrypt only when necessary. Ensure IAM policies restrict KMS usage and that responses are not inadvertently logged.

@app.get("/items/{item_id}")
def get_item(item_id: str):
    resp = table.get_item(Key={"item_id": item_id})
    if "Item" not in resp:
        raise HTTPException(status_code=404, detail="not found")
    item = resp["Item"]
    plaintext = decrypt_data(
        ciphertext=item["sensitive_field"],
        encrypted_key=item["encrypted_key"],
        nonce=item["nonce"],
    )
    return {"item_id": item_id, "secret": plaintext.decode("utf-8")}

Operational safeguards

  • Enable DynamoDB encryption at rest with customer managed KMS keys and review key policies to follow least privilege.
  • Rotate KMS keys periodically and audit usage via CloudTrail.
  • Validate and sanitize all inputs to prevent injection that could bypass application-layer crypto.
  • Ensure TLS 1.2+ is enforced for all API calls (e.g., via load balancer or API gateway).
Scan for cryptographic failures in fastapi Free API security scan

Frequently Asked Questions

How can I verify that my FastAPI endpoints are enforcing HTTPS when communicating with DynamoDB?
Use automated scans that check for HTTP-to-HTTPS redirects and inspect TLS configurations. You can also test endpoints with curl -v http://your-api/... and confirm responses redirect to HTTPS and that no sensitive data appears in logs.
What should I do if a DynamoDB scan reports cryptographic misconfigurations?
Review the specific findings: ensure data is encrypted at rest with customer managed KMS keys, enforce HTTPS for all API traffic, apply envelope encryption for sensitive fields, rotate keys, and validate that ciphertexts are authenticated (e.g., AES-GCM with associated data). Use provided remediation guidance to update code and key policies.

Related Pages

Cryptographic Failures in FastapiDiscover how cryptographic failures manifest in FastAPI applications, from weak JWT implementations to timing attacks, aCryptographic Failures in DynamodbDynamoDB cryptographic failures expose sensitive data through plaintext storage, weak keys, and missing encryption. LearCis: Cryptographic FailuresLearn how cryptographic failures (Cis) appear in APIs, including weak algorithms, improper IVs, and missing authenticatiCryptographic Failures in Fastapi on RailwayCryptographic failures in Fastapi on Railway: causes, secure code examples, and Railway-specific remediation.Pci Dss: Cryptographic Failures in FastapimiddleBrick scans FastAPI APIs for PCI DSS cryptographic failures: enforce HTTPS, strong ciphers, secure key handling, aSoc2: Cryptographic Failures in FastapiExplore how SOC 2 intersects with cryptographic failures in FastAPI APIs, with concrete remediation examples and secure Iso 27001: Cryptographic Failures in FastapiExplore ISO 27001 controls for cryptographic failures in FastAPI APIs. Concrete remediation examples and how middleBrickCis: Cryptographic Failures in FastapiUnderstand Cryptographic Failures in FastAPI mapped to CIS controls, with concrete remediation code examples.Cryptographic Failures in Fastapi with Jwt TokensCryptographic failures in FastAPI with JWT tokens and concrete remediation code examples to enforce strict validation anCryptographic Failures in Fastapi with Api KeysExplore cryptographic failures in FastAPI with API keys: risks, real code fixes, and secure validation patterns for keysCryptographic Failures in Fastapi with Hmac SignaturesCryptographic failures with Hmac Signatures in Fastapi: canonicalization, constant-time compare, key management, and secCryptographic Failures in Fastapi with Basic AuthCryptographic failures with FastAPI Basic Auth: why TLS is essential and how to remediate with secure code examples.