Skip to main content

πŸ›‘οΈ AWS DAX Cluster Server-Side Encryption is not enabled🟒

  • Contextual name: πŸ›‘οΈ Cluster Server-Side Encryption is not enabled🟒
  • ID: /ce/ca/aws/dax/cluster-server-side-encryption
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-e9e997041

Description​

Open File

Description​

Ensure that Amazon DynamoDB Accelerator (DAX) clusters have server-side encryption (SSE) enabled to protect data at rest.

Rationale​

Encrypting data at rest provides an additional layer of data protection that helps secure your data from unauthorized access to the underlying storage infrastructure. Many organizations are subject to regulatory or compliance mandates (such as HIPAA, PCI DSS, or GDPR) that require encryption of data at rest. Enabling SSE for DAX ensures alignment with these requirements and improves the overall security posture of cloud-hosted applications.

Impact​

Server-side encryption must be enabled at the time of cluster creation and cannot be modified afterward. To migrate an existing unencrypted cluster to use encryption at rest, you must create a new encrypted cluster and update your application to connect to the new cluster endpoint.

Audit​

This policy marks an AWS DAX Cluster as INCOMPLIANT if Server-Side Encryption Status is set to DISABLED.

Cluster using dax.r3.* Node Type is flagged as INAPPLICABLE, as these instance types do not support encryption at rest.

Remediation​

Open File

Remediation​

From Command Line​

Important​

DAX server-side encryption cannot be enabled on existing clusters. You must provision a new encrypted cluster, migrate the application, and optionally delete the old cluster.

Retrieve Existing Cluster Configuration​
aws dax describe-clusters \
    --cluster-names {{existing-cluster-name}}
Create a New Encrypted DAX Cluster​

Use the information from the previous step to create a new cluster with encryption enabled:

aws dax create-cluster \
    --cluster-name {{new-cluster-name}} \
    --node-type {{node-type}} \
    --replication-factor {{replication-factor}} \
    --iam-role-arn {{iam-role-arn}} \
    --subnet-group-name {{subnet-group}} \
    --sse-specification Enabled=true
Update Application to Use the New Cluster​

Once the new cluster is in available status, update your application configuration to point to the new cluster’s endpoint:

aws dax describe-clusters \
    --cluster-names {{new-cluster-name}} \
    --query "Clusters[0].ClusterDiscoveryEndpoint.Address"

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption57no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2627no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)13no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)13no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1634no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1732no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)521no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)34no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)132no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)21no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)34no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)132no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)21no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected164no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected140no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected156no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3133no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks32no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection423no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31733no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1021no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection20no data