Profile Applicability:

  • Level 1

Description:

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB, designed to significantly improve read performance for your DynamoDB tables. Encryption at Rest for DAX clusters ensures that the data stored in the cache is encrypted when stored on disk, offering an additional layer of security for sensitive information. This SOP ensures that DAX Clusters have encryption at rest enabled to help protect data in the event of unauthorized access to physical storage.

Rationale:

  • Security: Enabling encryption at rest for DAX clusters ensures that data is stored securely on disk, preventing unauthorized access if someone gains physical access to the storage infrastructure.

  • Compliance: Many regulatory frameworks (e.g., GDPR, HIPAA) require encryption for sensitive data at rest to meet security and privacy standards.

  • Data Protection: Encrypting the data at rest prevents exposure of sensitive data, even in the event of a breach or a storage system compromise.

Impact:

Pros:

  • Enhanced Data Security: Ensures that data stored in the DAX clusters is protected against unauthorized access.

  • Compliance: Meets compliance requirements for data encryption at rest in regulated environments.

  • No Performance Impact: DAX encryption at rest is fully managed and does not impact read/write performance.

Cons:

  • Operational Overhead: There is an overhead of managing encryption keys, especially when using AWS KMS (Key Management Service).

  • Costs: Enabling encryption at rest may incur additional costs related to key management and the use of AWS KMS.

Default Value:

By default, encryption at rest is enabled for all DAX clusters using AWS-managed keys (AWS KMS). If you are using customer-managed keys (CMK), the encryption configuration must be verified.

Pre-requisite:

  • AWS IAM Permissions:

    • dynamodb:DescribeTable

    • dax:DescribeClusters

    • dax:ListClusters

  • AWS CLI installed and configured.

  • DynamoDB DAX Cluster set up.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon DynamoDB under Services.

  3. In the DynamoDB Console, go to DAX.

  4. Select the DAX Cluster you want to check.

  5. Under the Cluster Details, verify that Encryption at Rest is enabled.

    • If encryption is enabled, the Encryption setting will show as Enabled, with an option to use either AWS managed keys or Customer managed keys.

    • If encryption is not enabled, you can enable it by modifying the cluster settings.

Using AWS CLI:

  1. To check if DAX Encryption at Rest is enabled for a specific cluster, run the following command:

    aws dax describe-cluster --cluster-name <cluster-name> --query "Cluster.EncryptionAtRest"

  2. If the result is Enabled, encryption at rest is active. If it shows Disabled, you need to enable it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to DynamoDB.

  2. Go to DAX and select the cluster you want to modify.

  3. In the Cluster Settings section, click on Modify Cluster.

  4. Under Encryption at Rest, ensure that it is enabled.

  5. If encryption is disabled, select the option to enable it and choose whether to use AWS managed keys or a customer-managed key (CMK).

  6. Save the changes to apply the updated configuration.

Using AWS CLI:

  1. To enable Encryption at Rest for a DAX cluster, run the following command:

    aws dax update-cluster --cluster-name <cluster-name> --encryption-at-rest-enabled true --kms-key-id <kms-key-id>

  2. If using AWS managed keys, the kms-key-id can be omitted:

    aws dax update-cluster --cluster-name <cluster-name> --encryption-at-rest-enabled true

  3. Verify the updated encryption setting by describing the cluster:

    aws dax describe-cluster --cluster-name <cluster-name> --query "Cluster.EncryptionAtRest"

Backout Plan:

Using AWS Console:

  1. If enabling encryption at rest causes issues, sign in to the AWS Management Console.

  2. Navigate to DynamoDB, select the DAX cluster, and go to Edit encryption settings.

  3. Disable encryption at rest or switch to AWS-managed keys for encryption.

  4. Save the changes and verify that the cluster is now using AWS-managed encryption.

Using AWS CLI:

  1. To disable encryption at rest or switch to AWS-managed encryption, run the following command:

    aws dax update-cluster --cluster-identifier <CLUSTER_ID> --region <REGION> --sse-specification Enabled=true,SSEType=AES256

  2. Verify the cluster's encryption settings:

    aws dax describe-clusters --cluster-identifier <CLUSTER_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.