Skip to main content

πŸ›‘οΈ AWS DAX Cluster Server-Side Encryption is not enabled🟒

  • Contextual name: πŸ›‘οΈ Cluster Server-Side Encryption is not enabled🟒
  • ID: /ce/ca/aws/dax/cluster-server-side-encryption
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-e9e997041

Description​

Open File

Description​

Ensure that Amazon DynamoDB Accelerator (DAX) clusters have server-side encryption (SSE) enabled to protect data at rest.

Rationale​

Encrypting data at rest provides an additional layer of data protection that helps secure your data from unauthorized access to the underlying storage infrastructure. Many organizations are subject to regulatory or compliance mandates (such as HIPAA, PCI DSS, or GDPR) that require encryption of data at rest. Enabling SSE for DAX ensures alignment with these requirements and improves the overall security posture of cloud-hosted applications.

Impact​

Server-side encryption must be enabled at the time of cluster creation and cannot be modified afterward. To migrate an existing unencrypted cluster to use encryption at rest, you must create a new encrypted cluster and update your application to connect to the new cluster endpoint.

Audit​

This policy marks an AWS DAX Cluster as INCOMPLIANT if Server-Side Encryption Status is set to DISABLED.

Cluster using dax.r3.* Node Type is flagged as INAPPLICABLE, as these instance types do not support encryption at rest.

Remediation​

Open File

Remediation​

From Command Line​

Important​

DAX server-side encryption cannot be enabled on existing clusters. You must provision a new encrypted cluster, migrate the application, and optionally delete the old cluster.

Retrieve Existing Cluster Configuration​
aws dax describe-clusters \
    --cluster-names {{existing-cluster-name}}
Create a New Encrypted DAX Cluster​

Use the information from the previous step to create a new cluster with encryption enabled:

aws dax create-cluster \
    --cluster-name {{new-cluster-name}} \
    --node-type {{node-type}} \
    --replication-factor {{replication-factor}} \
    --iam-role-arn {{iam-role-arn}} \
    --subnet-group-name {{subnet-group}} \
    --sse-specification Enabled=true
Update Application to Use the New Cluster​

Once the new cluster is in available status, update your application configuration to point to the new cluster’s endpoint:

aws dax describe-clusters \
    --cluster-names {{new-cluster-name}} \
    --query "Clusters[0].ClusterDiscoveryEndpoint.Address"

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption44no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2526no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)6no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)6no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1624no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1724no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)514no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks25no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management6no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration6no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection413no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31625no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1014no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection12no data