The Misleading Encryption State of Amazon Quantum Ledger Database (QLDB)

February 22, 2024
Jason Kao

The Misleading Encryption State of Amazon Quantum Ledger Database (QLDB)

When doing research on one of Amazon Web Services's newer database offerings, Amazon Quantum Ledger Database, we discovered inconsistent and misleading encryption status reported via AWS APIs and the CLI for Amazon QLDB.

The encryption status for Amazon QLDB that was returned via the DescribeLedger calls could be misleading for compliance and security reasons.  Accurate security depends on accurate reporting and visibility into configuration and state of data resources.  In the case of Amazon QLDB and data security, misleading encryption status could lead to false positives and AWS customers believing their QLDB Ledgers to be unencrypted when in fact their Ledgers are encrypted.

The short summary:

We reported this to AWS Security in February 2024 and they're working on a documentation update.

Update: As of February 26th, 2024, AWS has completed their updates to the Amazon QLDB Developer Guide Documentation with our recommended clarifications. Thanks to the AWS team for the quick responses and collaboration.


When using the CLI or Amazon APIs to describe QLDB Ledgers and their encryption configuration, we observed the 2 following scenarios:

QLDB describe ledger call for ledger encrypted with an AWS-owned KMS key, February 2024
QLDB describe ledger call for ledger updating to encryption with an AWS-owned KMS key, February 2024

Both of these are misleading for the following reasons:


Amazon Quantum Ledger Database (Amazon QLDB) is a fully managed ledger database provided by AWS. All data stored in Amazon QLDB is fully encrypted at rest by default using encryption keys in AWS Key Management Service (KMS).  QLDB permits use of either an AWS owned key or a customer managed key.

Note: Amazon QLDB launched support for customer managed AWS Keys in July of 2021. Ledgers created prior to that date are protected by AWS owned keys by default.

AWS Console Screenshot of QLDB Ledger, February 2024

With Amazon QLDB, the only way to retrieve encryption information about a QLDB Ledger is the `DescribeLedger` API call. This returns a LedgerEncryptionDescription Object including the "current status, the AWS KMS Key, and when the key became inaccessible (in the case of an error)".

AWS's LedgerEncryptionDescription, February 2024
AWS CLI Reference, February 2024 on EncryptionDescription for DescribeLedger

To check encryption status, we first create a QLDB Ledger. This can be done either via AWS Console or programmatically.  In this case, we create it programmatically via the AWS CLI:

QLDB Create Ledger CLI, February 2024

Note that a ledger encrypted with an AWS Owned KMS Key can be created 2 ways: with the --kms-key value set to AWS_OWNED_KMS_KEY or left as undefined.  By default, the creation of a ledger will use an Amazon Web Services owned KMS key.

Now, when we describe this ledger (and tested with both creation options of having a --kms-key value set to AWS_OWNED_KMS_KEY as well as undefined), we get the following:

QLDB Describe Ledger CLI, February 2024

Note in both these responses, there is no response for EncryptionDescription and the included fields: EncryptionStatus and KmsKeyArn. Those fields exist when describing a QLDB with a customer managed AWS Key.

QLBD Describe Ledger (Customer Managed AWS key) CLI, February 2024

Let's now update QLDB's encryption from a customer managed AWS Key to a AWS-owned KMS key. This can be done with the UpdateLedger API call.  Describing a Ledger in the process of updating Encryption Status results in the following:

QLDB Describe Ledger (Updating to AWS Owned KMS key) CLI, February 2024

The "AWS_OWNED_KMS_KEY" is inconsistent and undocumented for the specific DescribeLedger CLI response.

We have shown the following 2 undocumented observations regarding encryption state of QLDB Ledgers:


We are always looking to provide clarity on cloud data security and proper data asset management. The following steps can be taken to improve security.

If you have comments or questions about cloud data security, we're here to help. Reach out to our team!

AWS's Updated Documentation

Below are screenshot's of AWS's updated documentation with the clarifications for the above findings. Clarifications are highlighted in red.

AWS's Updated Documentation for EncryptionDescription for DescribeLedger, late February 2024
AWS's Updated Documentation for KmsKeyArn specifying Update Behavior, late February 2024


Subscribe to stay up to date on cloud data security and our work.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.