🛡️ AWS DAX Cluster Server-Side Encryption is not enabled🟢

• Contextual name: 🛡️ Cluster Server-Side Encryption is not enabled🟢
• ID: /ce/ca/aws/dax/cluster-server-side-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS DAX Cluster
  • 🔌 AWS DAX Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• Internal: dec-x-e9e99704

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-e9e99704	1

Description

Open File

Description

Ensure that Amazon DynamoDB Accelerator (DAX) clusters have server-side encryption (SSE) enabled to protect data at rest.

Rationale

Encrypting data at rest provides an additional layer of data protection that helps secure your data from unauthorized access to the underlying storage infrastructure. Many organizations are subject to regulatory or compliance mandates, such as HIPAA, PCI DSS, or GDPR, that require encryption of data at rest. Enabling SSE for DAX aligns with these requirements and improves the overall security posture of cloud hosted applications.

Impact

Server-side encryption must be enabled at the time of cluster creation and cannot be modified afterward. To migrate an existing unencrypted cluster to use encryption at rest, create a new encrypted cluster and update your application to connect to the new cluster endpoint.

Audit

This policy marks an AWS DAX Cluster as INCOMPLIANT if Server-Side Encryption Status is set to DISABLED.

Clusters using the dax.r3.* Node Type are flagged as INAPPLICABLE because these instance types do not support encryption at rest.

Remediation

Open File

Remediation

From Command Line

Important

Server-side encryption for DAX cannot be enabled on existing clusters. You must provision a new encrypted cluster, migrate the application, and optionally delete the old cluster.

Retrieve Existing Cluster Configuration

aws dax describe-clusters \
    --cluster-names {{existing-cluster-name}}

Create a New Encrypted DAX Cluster

Use the information from the previous step to create a new cluster with encryption enabled:

aws dax create-cluster \
    --cluster-name {{new-cluster-name}} \
    --node-type {{node-type}} \
    --replication-factor {{replication-factor}} \
    --iam-role-arn {{iam-role-arn}} \
    --subnet-group-name {{subnet-group}} \
    --sse-specification Enabled=true

Update Application to Use the New Cluster

Once the new cluster is in the available status, update your application configuration to point to the new cluster endpoint:

aws dax describe-clusters \
    --cluster-names {{new-cluster-name}} \
    --query "Clusters[0].ClusterDiscoveryEndpoint.Address"

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest		1	1		no data
💼 Cloudaware Framework → 💼 Data Encryption			61		no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		26	27		no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			17		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			18		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	36		no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	25		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		31	33		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27		no data