Ensure DAX encryption at rest is not disabled
ID |
dax_encryption_disabled |
Severity |
critical |
Vendor |
AWS |
Resource |
DAX |
Tags |
reachable |
Description
Amazon DynamoDB is designed for scale and performance. In most cases, the DynamoDB response times can be measured in single-digit milliseconds. However, there are certain use cases that require response times in microseconds. For these use cases, DynamoDB Accelerator (DAX) delivers fast response times for accessing eventually consistent data.
DAX is a DynamoDB-compatible caching service that enables you to benefit from fast in-memory performance for demanding applications.
Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.
With encryption at rest, the data persisted by DAX on disk is encrypted using 256-bit Advanced Encryption Standard, also known as AES-256 encryption. DAX writes data to disk as part of propagating changes from the primary node to read replicas.
Learn more about this topic at DAX encryption at rest.
Examples
Buildtime
CloudFormation
{
"Resources": {
"daxCluster": { (1)
"Type": "AWS::DAX::Cluster",
"Properties": {
"ClusterName": "MyDAXCluster",
"NodeType": "dax.r3.large",
"ReplicationFactor": 1,
"IAMRoleARN": "arn:aws:iam::111122223333:role/DaxAccess",
"Description": "DAX cluster created with CloudFormation"
}
}
}
}| 1 | Missing SSEEnabled property means encryption at rest is disabled. |
Resources:
daxCluster: (1)
Type: AWS::DAX::Cluster
Properties:
ClusterName: "MyDAXCluster"
NodeType: "dax.r3.large"
ReplicationFactor: 1
IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess"
Description: "DAX cluster created with CloudFormation"| 1 | Missing SSEEnabled property means encryption at rest is disabled. |
Terraform
resource "aws_dax_cluster" {
cluster_name = "example"
iam_role_arn = "data.aws_iam_role.example.arn"
node_type = "dax.r4.large"
replication_factor = 1
server_side_encryption {
enabled = False (1)
}
}
resource "aws_dax_cluster" {
cluster_name = "example"
iam_role_arn = "data.aws_iam_role.example.arn"
node_type = "dax.r4.large"
replication_factor = 1 (2)
}| 1 | server_side_encryption is set to False. |
| 2 | Default value is False if no server_side_encryption value is specified. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"daxCluster": {
"Type": "AWS::DAX::Cluster",
"Properties": {
"ClusterName": "MyDAXCluster",
"NodeType": "dax.r3.large",
"ReplicationFactor": 1,
"IAMRoleARN": "arn:aws:iam::111122223333:role/DaxAccess",
"Description": "DAX cluster created with CloudFormation",
"SSESpecification": {
"SSEEnabled": true (1)
}
}
}
}
}| 1 | SSEEnabled set to true means encryption at rest is enabled. |
Resources:
daxCluster:
Type: AWS::DAX::Cluster
Properties:
ClusterName: "MyDAXCluster"
NodeType: "dax.r3.large"
ReplicationFactor: 1
IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess"
Description: "DAX cluster created with CloudFormation"
SSESpecification:
SSEEnabled: true (1)| 1 | SSEEnabled set to true means encryption at rest is enabled. |
Runtime
AWS Console
To enable DAX SSE go to the Amazon DynamoDB Console:
-
In the navigation pane, choose
Clustersunder DAX. -
Select
Create Cluster. -
In
Encryption, ensure thatEnable encryption is selected. -
After selecting the IAM role, subnet group, security groups, and cluster settings, select Launch cluster.