AWS DAX cluster not configured with encryption at rest
Description
AWS DAX encryption at rest provides an additional layer of data protection, helping secure your data from unauthorized access to underlying storage. Without encryption, anyone with access to the storage media or the network traffic between the DAX cluster and the client could potentially intercept and view the data. We recommend enabling encryption at rest.
NOTE: With encryption at rest, the data persisted by DAX on disk is encrypted using 256-bit Advanced Encryption Standard (AES-256).
Code Example
{
"aws dax create-cluster \\
--cluster-name daxcluster \\
--node-type dax.r4.large \\
--replication-factor 3 \\
--iam-role-arn roleARN \\
--sse-specification Enabled=true",
}Remediation
AWS Console
To change the policy using the AWS Console, follow these steps:
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the https://console.aws.amazon.com/dynamodb/ [Amazon DynamoDB console].
. In the navigation pane on the left side of the console, under DAX, select Clusters.
. Click Create Cluster.
. For Cluster name, enter a short name for your cluster. + Select the node type for all of the nodes in the cluster, and for the cluster size, use 3 nodes.
. In Encryption, make sure that Enable encryption is selected. + 7 After selecting the IAM role, subnet group, security groups, and cluster settings, select Launch cluster.
CLI Command
To creates a DAX cluster:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0101 |
| Severity | INFO |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_47 |