Description:
DAX clusters can be encrypted at rest using AWS KMS. This helps to protect the confidentiality of data stored in the cluster by making it more difficult for unauthorized users to access.
Rationale:
DAX clusters can store sensitive data, such as customerPIIdata. By encrypting DAX clusters, we can help to protect this data from unauthorized access.
Impact:
If DAX clusters are not encrypted, then unauthorized users could potentially access sensitive data. This could lead to data breaches, financial losses, and reputational damage.
Default Value:
By default, DAX clusters are not encrypted. However, AWS recommends that you encrypt your DAX clusters to help protect their confidentiality.
Pre-requisites:
- You must have access to the AWS KMS console.
- You must have a KMS key that you want to use to encrypt your DAX clusters.
Remediation Steps:
- In the AWS KMS console, select the KMS key that you want to use to encrypt your DAX clusters.
- Click the "Actions" menu and select "Encrypt".
- In the "Encrypt" dialog box, select the DAX clusters that you want to encrypt.
- Click the "Encrypt" button.
Test Plan:
- Verify that the DAX clusters are encrypted by checking the "Encryption" setting in the AWS KMS console.
- Try to access the data in the DAX clusters from an unauthorized account. You should not be able to access the data.
Implementation Plan:
AWS CLI Process:
aws dax create-cluster \ --cluster-name my-dax-cluster \ --node-type dax.r4.large \ --replication-factor 3 \ --iam-role-arn roleARN \ --sse-specification Enabled=true
Using AWS GUI:
- In the AWS DAX console, create a new DAX cluster.
- In the "Encryption" section, select the "Enable encryption" checkbox.
- Select the KMS key that you want to use to encrypt the cluster.
- Click the "Create cluster" button.
Backout Plan:
- In the AWS KMS console, select the KMS key that you used to encrypt your DAX clusters.
- Click the "Actions" menu and select "Decrypt".
- In the "Decrypt" dialog box, select the DAX clusters that you want to decrypt.
- Click the "Decrypt" button.
Note:
- You can also encrypt your DAX clusters using the AWS DAX console.
- For more information, see the AWS KMS documentation: https://docs.aws.amazon.com/kms/latest/developerguide/.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/