Ensure DAX is encrypted at rest (default is unencrypted)

Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection, helping secure your data from unauthorized access to underlying storage.With encryption at rest the data persisted by DAX on disk is encrypted using 256-bit Advanced Encryption Standard (AES-256). DAX writes data to disk as part of propagating changes from the primary node to read replicas. DAX encryption at rest automatically integrates with AWS KMS for managing the single service default key used to encrypt clusters.

Risk Level: High
Cloud Entity: AWS DAX Cluster
CloudGuard Rule ID: D9.CFT.CRY.22
Covered by Spectral: No
Category: Database


AWS_DAX_Cluster should have SSESpecification.SSEEnabled=true


From CFT
Supply AWS::DAX::Cluster::SSESpecification::SSEEnabled with Boolean value 'true'
See below example;

Type: AWS::DAX::Cluster
SSEEnabled: true


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dax-cluster-ssespecification.html#cfn-dax-cluster-ssespecification-sseenabled

AWS DAX Cluster

Amazon DynamoDB is designed for scale and performance. In most cases, the DynamoDB response times can be measured in single-digit milliseconds. However, there are certain use cases that require response times in microseconds. For these use cases, DynamoDB Accelerator (DAX) delivers fast response times for accessing eventually consistent data.DAX is a DynamoDB-compatible caching service that enables you to benefit from fast in-memory performance for demanding applications. AWS::DAX::Cluster Creates a DAX cluster. All nodes in the cluster run the same DAX caching software.

Compliance Frameworks

  • AWS CloudFormation ruleset