AWS Appsync API Cache is not encrypted at rest
Description
Encryption of data at rest is a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption. If enabled, the feature encrypts the domain's: indices, logs, swap files, all data in the application directory, and automated snapshots. We recommend you implement encryption at rest in order to protect a data store containing sensitive information from unauthorized access, and fulfill compliance requirements.
Code Example
go
resource "aws_appsync_api_cache" "pass" {
api_id = aws_appsync_graphql_api.default.id
transit_encryption_enabled = true
at_rest_encryption_enabled = true
ttl = 60
type = "SMALL"
api_caching_behavior = "FULL_REQUEST_CACHING"
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0262 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_214 |