Ensure that your AWS DAX cluster data at rest (i.e. data in cache, configuration data and log files) is encrypted using Server-Side Encryption in order to protect it from unauthorized access to the underlying storage and meet compliance requirements. DAX Server-Side Encryption automatically integrates with AWS Key Management Service (KMS) for managing the default key that is used to encrypt your DAX cache clusters. The encryption and decryption process adds no storage overhead, has minimal impact on performance and is completely transparent – you don't need to modify your applications to use SSE.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When encryption at rest is enabled for your Amazon DAX cache clusters, you can effortlessly use the service for security-sensitive DynamoDB applications with stringent data protection requirements requested by organizational policies, industry or government regulations.
To determine if encryption at rest is enabled for your Amazon DynamoDB Accelerator (DAX) clusters, perform the following actions:
To enable Server-Side Encryption (SSE) for an existing Amazon DAX cache cluster, you need to re-create that cluster with the necessary encryption configuration. To launch a new Amazon DynamoDB Accelerator cluster and enable SSE, perform the following actions: