Description:

DAX is a DynamoDB-compatible caching service that enables you to benefit from fast in-memory performance for demanding applications. DAX supports server-side encryption. It also supports encryption in transit, ensuring that all requests and responses between your application and the cluster are encrypted by transport-level security (TLS), and connections to the cluster can be authenticated by verification of a cluster x509 certificate.


Rational:

Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.

 

Impact:

With encryption at rest, the data persisted by DAX on disk is encrypted using 256-bit Advanced Encryption Standard, also known as AES-256 encryption.


Default value:

By default, encryption is enabled.

NOTE 

While creating the Cluster we have to mention the encryption if you want to enable or disable after creation of Cluster we cannot change it .


Pre-requisites:

  1. Sign in as an admin or IAM user with permissions required

  2. Need an IAM role

  3. Note down the configurations of the old DAX cluster

  4. If you notice the DAX cluster is not encrypted then only follow the implementation steps


Remediation:


Test Plan:

  1. Sign in to the AWS Management Console

  2. Navigate to DynamoDB service at https://console.aws.amazon.com/dynamodb/.

  3. Under DAX, click on Clusters, in the left navigation pane

  4. Select the AWS DAX cluster that you want to examine.

  5. Click on the settings tab  

  6. Under the Overview tab, go to the Encryption section and check whether the attribute value is set to DISABLED or Enabled.


Using AWS CLI:

Command is used to describe the cluster

aws dax describe-clusters
  --region us-east-1
  --output table
  --query 'Clusters[*].ClusterName'

Remediation:

Implementation steps:

  1. Sign in to the AWS Management Console

  2. Navigate to DynamoDB service at https://console.aws.amazon.com/dynamodb/.

  3. Under DAX, click on Clusters, in the left navigation pane

  4. Click on Create cluster button 

  5. Perform the following steps on Create a DynamoDB Accelerator (DAX) cluster page 

    1. Enter the name of your new DAX cluster in the Cluster name box

    2. Select the node type from the Node type dropdown list.

    3. Choose the number of nodes from the Cluster size dropdown list to create within the new cache cluster

    4. Give a subnet group name and subnet 
    5. Check Enable at rest checkbox to enable Encryption, also you can enable encryption at transit by checking Enable encryption in transit checkBox

    6. From the IAM role dropdown list, choose whether to create a new IAM service role or select an existing role

      To access the new cache cluster from your DynamoDB-based application, you must enable inbound access on port 8111 for the selected security group.

                   1. Select Use default settings checkbox to make use of the default settings provided by the DAX service or                            uncheck Use default settings checkbox, Within the Cluster settings section

            2.Click on Launch Cluster

            3.Change the cluster endpoint within your DynamoDB application to reference the new resource.

           4.Remove the old and unencrypted DAX cache cluster. To terminate the necessary cluster, perform the following:

                       a. Select the cache cluster that you want to remove 

                       b. Click on the Actions and select Delete.


Using AWS CLI:

It will Enable the Encryption of the DynamoDB.  

aws dax create-cluster
  --region us-east-1
  --cluster-name cc-encrypted-cluster
  --node-type dax.r4.large
  --replication-factor 2
  --iam-role-arn arn:aws:iam::123456789012:role/service-role/DAXtoDynamoDB
  --security-group-ids sg-abcd1234
  --availability-zones "us-east-1a" "us-east-1b"
  --subnet-group-name cc-dax-subnet-group
  --sse-specification Enabled=true


Backout plan:

Once the DAX cluster is launched we can’t make modifications. Only we can delete and re-create the cluster.


Reference:

In-Memory Acceleration with DynamoDB Accelerator (DAX) - Amazon DynamoDB