Ensure that your AWS DAX cluster data at rest (i.e. data in cache, configuration data and log files) is encrypted using Server-Side Encryption in order to protect it from unauthorized access to the underlying storage and meet compliance requirements. DAX Server-Side Encryption automatically integrates with AWS Key Management Service (KMS) for managing the default key that is used to encrypt your DAX cache clusters. The encryption and decryption process adds no storage overhead, has minimal impact on performance and is completely transparent – you don't need to modify your applications to use SSE.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When encryption at rest is enabled for your Amazon DAX cache clusters, you can effortlessly use the service for security-sensitive DynamoDB applications with stringent data protection requirements requested by organizational policies, industry or government regulations.
To determine if encryption at rest is enabled for your Amazon DynamoDB Accelerator (DAX) clusters, perform the following actions:
Remediation / Resolution
To enable Server-Side Encryption (SSE) for an existing Amazon DAX cache cluster, you need to re-create that cluster with the necessary encryption configuration. To launch a new Amazon DynamoDB Accelerator cluster and enable SSE, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Risk level: High