DynamoDB Accelerator (DAX) clusters should be encrypted at rest

Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.

Suggest Edits

Risk Level: Medium
Cloud Entity: Amazon DynamoDB
CloudGuard Rule ID: D9.AWS.CRY.85
Covered by Spectral: No
Category: Database

GSL LOGIC

DynamoDbTable should have sseDescription.status='ENABLED'

REMEDIATION

From Portal
You cannot enable or disable encryption at rest after a cluster is created. You must recreate the cluster in order to enable encryption at rest. Follow these steps to enable DAX encryption at rest on a table using the console.

  1. Sign in to the AWS Management Console and open the DynamoDB console at https://console.aws.amazon.com/dynamodb/.
  2. In the navigation pane on the left side of the console, under DAX, choose Clusters.
  3. Choose Create cluster.
  4. For Cluster name, enter a short name for your cluster. Choose the node type for all of the nodes in the cluster, and for the cluster size, use 3 nodes.
  5. In Encryption, make sure that Enable encryption is selected.
  6. After choosing the IAM role, subnet group, security groups, and cluster settings, choose Launch cluster.
    Note: To confirm that the cluster is encrypted, check the cluster details under the Clusters pane. Encryption should be ENABLED.

From Command Line

  1. Run following command to create a new Amazon DAX cache cluster and enable Server-Side Encryption (SSE) during the launch process by setting the --sse-specification parameter to Enabled=true. 
aws dax create-cluster --cluster-name daxcluster --node-type dax.r4.large --replication-factor 3 --iam-role-arn role_ARN --sse-specification Enabled=true
  1. Once the new DAX cluster has been created, change the cluster endpoint in your application to point to the new resource.
  2. Terminate the old unencrypted cluster. run following command to remove the required Clusters.
aws dax delete-cluster --region region_name --cluster-name example_dax_cluster_name

References

  1. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html#dax.encryption.tutorial-console
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dax/create-cluster.html

Amazon DynamoDB

Amazon DynamoDB is a fast and flexible nonrelational database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automatic scaling of throughput capacity make it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS ISO27001:2022
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset

Updated 7 months ago