Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Cluster Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: DAX-001

Ensure that your AWS DAX cluster data at rest (i.e. data in cache, configuration data and log files) is encrypted using Server-Side Encryption in order to protect it from unauthorized access to the underlying storage and meet compliance requirements. DAX Server-Side Encryption automatically integrates with AWS Key Management Service (KMS) for managing the default key that is used to encrypt your DAX cache clusters. The encryption and decryption process adds no storage overhead, has minimal impact on performance and is completely transparent – you don't need to modify your applications to use SSE.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When encryption at rest is enabled for your Amazon DAX cache clusters, you can effortlessly use the service for security-sensitive DynamoDB applications with stringent data protection requirements requested by organizational policies, industry or government regulations.

Audit

To determine if encryption at rest is enabled for your Amazon DynamoDB Accelerator (DAX) clusters, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under DAX, click Clusters.

04 Select the AWS DAX cluster that you want to examine.

05 Select the Overview tab to access the panel with the resource configuration details.

06 On the Overview tab panel, check the Encryption configuration attribute value. If the attribute value is set to DISABLED, the encryption at rest (i.e. Server-Side Encryption) is not enabled for the selected Amazon DynamoDB Accelerator cache cluster.

07 Repeat steps no. 4 – 6 to verify the SSE status for other AWS DAX clusters provisioned within the selected region.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all DAX cache clusters available in the selected AWS region: 

aws dax describe-clusters
  --region us-east-1
  --output table
  --query 'Clusters[*].ClusterName'

02 The command output should return the requested cluster identifiers: 

--------------------------
|    DescribeClusters    |
+------------------------+
|  cc-dax-cache-cluster  |
|  cc-prod-app-cluster   |
+------------------------+

03 Run describe-clusters command (OSX/Linux/UNIX) using the name of the Amazon DAX cluster that you want to examine as identifier and custom query filters to obtain the Server-Side Encryption feature status for the selected cache cluster: 

aws dax describe-clusters
  --region us-east-1
  --cluster-names cc-dax-cache-cluster
  --query 'Clusters[*].SSEDescription.Status'

04 The command output should return the requested configuration status: 

[
    "DISABLED"
]

If the command output returns DISABLED, as shown in the example above, the Server-Side Encryption feature is currently disabled, therefore encryption at rest is not active for the selected Amazon DynamoDB Accelerator (DAX) cluster.

05 Repeat step no. 3 and 4 to verify the SSE feature status for other AWS DAX clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable Server-Side Encryption (SSE) for an existing Amazon DAX cache cluster, you need to re-create that cluster with the necessary encryption configuration. To launch a new Amazon DynamoDB Accelerator cluster and enable SSE, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"DaxClusterRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "DAXServiceRoleForDynamoDBAccess",
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": [
									"dax.amazonaws.com"
								]
							},
							"Action": [
								"sts:AssumeRole"
							]
						}
					]
				},
				"Path": "/",
				"Policies": [
					{
						"PolicyName": "DAXServiceRolePolicy",
						"PolicyDocument": {
							"Version": "2012-10-17",
							"Statement": [
								{
									"Effect": "Allow",
									"Action": [
										"dynamodb:DescribeTable",
										"dynamodb:PutItem",
										"dynamodb:GetItem",
										"dynamodb:UpdateItem",
										"dynamodb:DeleteItem",
										"dynamodb:Query",
										"dynamodb:Scan",
										"dynamodb:BatchGetItem",
										"dynamodb:BatchWriteItem",
										"dynamodb:ConditionCheckItem"
									],
									"Resource": "*"
								}
							]
						}
					}
				]
			}
		},
		"DAXCluster": {
			"Type": "AWS::DAX::Cluster",
			"Properties": {
				"ClusterName": "cc-encrypted-dax-cluster",
				"NodeType": "dax.r4.large",
				"ReplicationFactor": 1,
				"IAMRoleARN": {
					"Fn::GetAtt": [
						"DaxClusterRole",
						"Arn"
					]
				},
				"SSESpecification": {
					"SSEEnabled": true
				}
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	DaxClusterRole:
		Type: AWS::IAM::Role
		Properties:
		RoleName: DAXServiceRoleForDynamoDBAccess
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
					- dax.amazonaws.com
				Action:
				- sts:AssumeRole
		Path: /
		Policies:
			- PolicyName: DAXServiceRolePolicy
			PolicyDocument:
				Version: '2012-10-17'
				Statement:
				- Effect: Allow
					Action:
					- dynamodb:DescribeTable
					- dynamodb:PutItem
					- dynamodb:GetItem
					- dynamodb:UpdateItem
					- dynamodb:DeleteItem
					- dynamodb:Query
					- dynamodb:Scan
					- dynamodb:BatchGetItem
					- dynamodb:BatchWriteItem
					- dynamodb:ConditionCheckItem
					Resource: '*'
	DAXCluster:
		Type: AWS::DAX::Cluster
		Properties:
		ClusterName: cc-encrypted-dax-cluster
		NodeType: dax.r4.large
		ReplicationFactor: 1
		IAMRoleARN: !GetAtt 'DaxClusterRole.Arn'
		SSESpecification:
			SSEEnabled: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

data "aws_iam_policy_document" "assume_role" {
	statement {
		effect = "Allow"
		principals {
			type        = "Service"
			identifiers = ["dax.amazonaws.com"]
		}
		actions = ["sts:AssumeRole"]
	}
}

resource "aws_iam_role" "dax-access-role" {
	name = "DAXServiceRoleForDynamoDBAccess"
	assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

data "aws_iam_policy_document" "iam-policy" {
	statement {
		effect = "Allow"
		actions = [
			"dynamodb:DescribeTable",
			"dynamodb:PutItem",
			"dynamodb:GetItem",
			"dynamodb:UpdateItem",
			"dynamodb:DeleteItem",
			"dynamodb:Query",
			"dynamodb:Scan",
			"dynamodb:BatchGetItem",
			"dynamodb:BatchWriteItem",
			"dynamodb:ConditionCheckItem"
		]
		resources = ["*"]
	}
}

resource "aws_iam_role_policy" "role-policy" {
	name   = "iam-role-policy"
	role   = aws_iam_role.dax-access-role.id
	policy = data.aws_iam_policy_document.iam-policy.json
}

resource "aws_dax_cluster" "aws-dax-cluster" {
	cluster_name       = "cc-encrypted-dax-cluster"
	iam_role_arn       = data.aws_iam_role.dax-access-role.arn
	node_type          = "dax.r4.large"
	replication_factor = 1
	server_side_encryption {
		enabled = true
	}
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under DAX, click Clusters.

04 Click Create cluster button from the dashboard top menu to initiate the setup process for the new DAX cache cluster.

05 On Create a DynamoDB Accelerator (DAX) cluster page, perform the following:

  1. In the Cluster name box, type the name of your new AWS DAX cluster.
  2. Select the cluster node type from the Node type dropdown list.
  3. Choose the number of nodes to create within the new cache cluster from the Cluster size dropdown list.
  4. Check Enable encryption checkbox to enable Server-Side Encryption (SSE) for your DAX cluster in order to help protect data at rest.
  5. From IAM role dropdown list, choose whether to create a new IAM service role or select an existing role. This IAM service role is required and it specifies the DynamoDB tables that DAX cluster has access to and the DynamoDB APIs that the DAX cache cluster can execute.
  6. From Subnet group dropdown list, select the necessary subnet group for your new Amazon DAX cluster, which determines the VPC and Availability Zones for your cluster nodes.
  7. From Security group dropdown list, select the security group that controls the access to your DAX cluster. To access the new cache cluster from your DynamoDB-based application, you must enable inbound access on port 8111 for the selected security group.
  8. Within Cluster settings section, select Use default settings checkbox to make use of the default settings provided by the AWS DAX service or uncheck Use default settings checkbox to configure the cache cluster based on your application requirements.
  9. Once the cluster is fully configured, click Launch cluster to create the new Amazon DAX cache cluster.

06 Once the new cluster is created, change the cluster endpoint within your DynamoDB application to reference the new resource.

07 Now it’s safe to remove the old and unencrypted DAX cache cluster from your AWS account in order to avoid further charges. To terminate the necessary cluster, perform the following:

  1. Select the cache cluster that you want to remove (see Audit section part I to identify the right DAX resource).
  2. Click on the Actions dropdown menu and select the Delete option.
  3. Within Delete <cluster-name> dialog box, click the Delete button to confirm the action.

Using AWS CLI

01 Run create-cluster command (OSX/Linux/UNIX) to create a new Amazon DAX cache cluster and enable Server-Side Encryption (SSE) during the launch process by setting the --sse-specification parameter toEnabled=true. The following command example creates an AWS DAX cluster named "cc-encrypted-cluster", that runs two dax.r4.large-type nodes, within "us-east-1a" and "us-east-1b" Availability Zones, using an IAM service role identified by the ARN "arn:aws:iam::123456789012:role/service-role/DAXtoDynamoDB", a subnet group identified by the name "cc-dax-subnet-group" and a security group name identified by the ID "sg-abcd1234": 

aws dax create-cluster
  --region us-east-1
  --cluster-name cc-encrypted-cluster
  --node-type dax.r4.large
  --replication-factor 2
  --iam-role-arn arn:aws:iam::123456789012:role/service-role/DAXtoDynamoDB
  --security-group-ids sg-abcd1234
  --availability-zones "us-east-1a" "us-east-1b"
  --subnet-group-name cc-dax-subnet-group
  --sse-specification Enabled=true

02 The command output should return the new DAX cache cluster metadata: 

{
	"Cluster": {
		"Status": "creating",
		"NodeType": "dax.r4.large",
		"ClusterName": "cc-encrypted-cluster",
		"IamRoleArn": "arn:aws:iam::123456789012:role/service-role/DAXtoDynamoDB",

		...

		"ClusterArn": "arn:aws:dax:us-east-1:123456789012:cache/cc-encrypted-cluster",
		"SSEDescription": {
			"Status": "ENABLED"
		},
		"PreferredMaintenanceWindow": "sat:06:00-sat:07:00"
	}
}

03 Once the new DAX cluster has been created, change the cluster endpoint in your application to point to the new resource.

04 Terminate the old (unencrypted) DAX cache cluster from your AWS account in order to cut down on AWS costs. To remove the required cluster, run delete-clustercommand (OSX/Linux/UNIX): 

aws dax delete-cluster
  --region us-east-1
  --cluster-name cc-dax-cache-cluster

05 The command output should return the delete-clusterrequest metadata: 

{
	"Cluster": {
		"Status": "deleting",
		"SubnetGroup": "cc-dax-subnet-group",
		"NodeType": "dax.r4.large",
		"ClusterName": "cc-dax-cache-cluster",


		...


		"ParameterGroup": {
			"NodeIdsToReboot": [],
			"ParameterGroupName": "default.dax1.0",
			"ParameterApplyStatus": "in-sync"
		},
		"PreferredMaintenanceWindow": "sat:06:00-sat:07:00"
	}
}

References

Publication date Oct 15, 2018

Related DAX rules