Ensure server-side encryption (SSE) is enforced for AWS DynamoDB tables

MEDIUM

Description

Although it is available for a DynamoDB Accelerator (DAX) Cluster, AWS does not enforce Server Side Encryption (SSE) by default. Encryption at rest can help protect data that is stored within the cluster by using AWS Key Management Service (KMS), which integrates automatically when enabling the feature.

Remediation

DynamoDB DAX cluster encryption can only be enabled at the time of creation using AWS KMS or using a customer managed key (CMK). To learn about creating a new cluster with encryption enabled, see the AWS documentation.

In Terraform -

In the aws_dax_cluster resource, set 'server_side_encryption.enabled' to 'true'.

References:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.create-cluster.html
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dax_cluster#server_side_encryption

Policy Details

Rule Reference ID: AC_AWS_0375

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_dax_cluster

Resource Category: Database

Resource Type: DynamoDB

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0