Skip to main content

πŸ“ AWS DAX Cluster Server-Side Encryption is not enabled 🟒

  • Contextual name: πŸ“ Cluster Server-Side Encryption is not enabled 🟒
  • ID: /ce/ca/aws/dax/cluster-server-side-encryption
  • Located in: πŸ“ AWS DAX

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-e9e997041

Logic​

Description​

Open File

Description​

Ensure that Amazon DynamoDB Accelerator (DAX) clusters have server-side encryption (SSE) enabled to protect data at rest.

Rationale​

Encrypting data at rest provides an additional layer of data protection that helps secure your data from unauthorized access to the underlying storage infrastructure. Many organizations are subject to regulatory or compliance mandates (such as HIPAA, PCI DSS, or GDPR) that require encryption of data at rest. Enabling SSE for DAX ensures alignment with these requirements and improves the overall security posture of cloud-hosted applications.

Impact​

Server-side encryption must be enabled at the time of cluster creation and cannot be modified afterward. To migrate an existing unencrypted cluster to use encryption at rest, you must create a new encrypted cluster and update your application to connect to the new cluster endpoint.

Audit​

This policy marks an AWS DAX Cluster as INCOMPLIANT if Server-Side Encryption Status is set to DISABLED.

Cluster using dax.r3.* Node Type is flagged as INAPPLICABLE, as these instance types do not support encryption at rest.

Remediation​

Open File

Remediation​

From Command Line​

Important​

DAX server-side encryption cannot be enabled on existing clusters. You must provision a new encrypted cluster, migrate the application, and optionally delete the old cluster.

Retrieve Existing Cluster Configuration​
aws dax describe-clusters \
    --cluster-names {{existing-cluster-name}}
Create a New Encrypted DAX Cluster​

Use the information from the previous step to create a new cluster with encryption enabled:

aws dax create-cluster \
    --cluster-name {{new-cluster-name}} \
    --node-type {{node-type}} \
    --replication-factor {{replication-factor}} \
    --iam-role-arn {{iam-role-arn}} \
    --subnet-group-name {{subnet-group}} \
    --sse-specification Enabled=true
Update Application to Use the New Cluster​

Once the new cluster is in available status, update your application configuration to point to the new cluster’s endpoint:

aws dax describe-clusters \
    --cluster-names {{new-cluster-name}} \
    --query "Clusters[0].ClusterDiscoveryEndpoint.Address"

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption42
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2526
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1624
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1724
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)514
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks20
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection413
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31625
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1014
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection12