HIGH
Source
Trivy
ID
AVD-AWS-0023

DAX Cluster and tables should always encrypt data at rest

Amazon DynamoDB Accelerator (DAX) and table encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.

Impact

Data can be freely read if compromised

Follow the appropriate remediation steps below to resolve the issue.

Enable encryption at rest for DAX Cluster

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  daxCluster:
    Type: AWS::DAX::Cluster
    Properties:
      ClusterName: "MyDAXCluster"
      NodeType: "dax.r3.large"
      ReplicationFactor: 1
      IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess"
      Description: "DAX cluster created with CloudFormation"
      SSESpecification:
        SSEEnabled: true

Enable encryption at rest for DAX Cluster

1
2
3
4
5
6
7
resource "aws_dax_cluster" "good_example" {
  // other DAX config
  
  server_side_encryption {
    enabled = true // enabled server side encryption
  }
}