Profile Applicability:

  • Level 1

Description:

DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for Amazon DynamoDB that improves read performance by up to 10 times, even at millions of requests per second. Encryption in transit ensures that data transmitted between DAX clusters and applications is encrypted, providing security against eavesdropping and man-in-the-middle attacks. This SOP ensures that DAX clusters are configured with encryption in transit, which is essential for protecting sensitive data while it is in transit between clients and the cache.

Rationale:

  • Security: Encryption in transit helps protect sensitive data from unauthorized access or tampering as it moves between DAX clusters and other AWS services or clients.

  • Compliance: Many security frameworks and standards, such as PCI-DSS, SOC 2, and HIPAA, require encryption for data transmitted over networks, including between cache services and applications.

  • Best Practices: Enabling encryption in transit ensures that DAX clusters meet security best practices for data protection.

Impact:

Pros:

  • Increased Security: Ensures data transmitted to and from DAX clusters is encrypted, reducing the risk of interception.

  • Compliance: Helps meet security requirements for encryption of data in transit as required by various regulations and compliance frameworks.

  • Data Integrity: Protects the integrity of data being sent to and from the cache by preventing tampering during transmission.

Cons:

  • Performance Overhead: While minimal, enabling encryption in transit may introduce slight latency due to the encryption and decryption process.

  • Compatibility: Some legacy systems may require configuration changes to support encrypted connections.

Default Value:

By default, DAX clusters are not encrypted in transit. This feature needs to be explicitly enabled when creating or modifying a DAX cluster.

Pre-requisite:

  • AWS IAM Permissions:

    • dax:DescribeClusters

    • dax:UpdateCluster

  • AWS CLI installed and configured.

  • DAX Cluster created and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon DAX under Services.

  3. In the DAX Console, select Clusters.

  4. Choose the DAX cluster you want to check.

  5. In the Cluster details, verify if the Encryption in Transit setting is enabled.

    • If Encryption in Transit is enabled, it will show as "Enabled".

    • If it is not enabled, it will show as "Disabled".

  6. If encryption in transit is not enabled, follow the Implementation Steps below to enable it.

Using AWS CLI:

  1. To describe the DAX cluster and check the encryption status, run:

    aws dax describe-clusters --cluster-ids <cluster-id> --query 'Clusters[*].{ClusterId:ClusterId,EncryptionAtRest:EncryptionAtRest,EncryptionInTransit:EncryptionInTransit}'

  2. The output will return:

  • EncryptionInTransit: true if encryption in transit is enabled.

  • EncryptionInTransit: false if encryption in transit is not enabled.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon DAX.

  2. In the DAX Console, select Clusters and choose the DAX cluster you want to enable encryption in transit for.

  3. Click on Modify and enable Encryption in Transit.

  4. Review the changes and click Save Changes to apply the modification.

Using AWS CLI:

  1. To enable encryption in transit for an existing DAX cluster, run:

    aws dax update-cluster --cluster-id <cluster-id> --encryption-in-transit-enabled

  2. To confirm that encryption in transit is enabled, rerun the describe command:

    aws dax describe-clusters --cluster-ids <cluster-id> --query 'Clusters[*].{ClusterId:ClusterId,EncryptionAtRest:EncryptionAtRest,EncryptionInTransit:EncryptionInTransit}'

Backout Plan:

Using AWS Console:

  1. If enabling encryption in transit causes issues, sign in to the AWS Management Console.

  2. Navigate to DynamoDB, select the DAX cluster, and go to Edit under the Encryption section.

  3. Disable Encryption in transit and save the changes.

  4. Verify that encryption in transit is now disabled for the cluster.

Using AWS CLI:

  1. To disable encryption in transit for a DAX cluster, run the following command:

    aws dax update-cluster --cluster-identifier <CLUSTER_ID> --region <REGION> --no-enabled-encryption-in-transit

  2. Verify that encryption in transit is now disabled by describing the cluster again:

    aws dax describe-clusters --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.