Skip to content
Ask AI about this
Help improve this page

AppSync API caches should have encryption at rest enabled

AppSync API caches store resolved GraphQL query results to reduce latency on repeated requests. Without encryption at rest, that data sits unencrypted on the underlying storage, readable if physical media is compromised or accessed outside normal API channels. Cached responses can contain sensitive user data, authentication tokens, or business logic outputs that have no business being readable at the storage layer.

Retrofit consideration

Changing at_rest_encryption_enabled on an existing aws_appsync_api_cache forces replacement of the cache resource, which temporarily removes caching and may cause a latency spike.

Implementation

Choose the approach that matches how you manage Terraform.

If you use terraform-aws-modules/appsync/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "appsync" {
  source  = "terraform-aws-modules/appsync/aws"
  version = ">=3.0.0"

  authentication_type = "AWS_IAM"
  log_field_log_level = "ERROR"
  logging_enabled     = true
  name                = "pofix-abc123"
  schema              = "type Query { hello: String }"

  cache_at_rest_encryption_enabled = true
}

Use AWS provider resources directly. See docs for the resources involved: aws_appsync_api_cache.

resource "aws_appsync_graphql_api" "this" {
  name                = "pofix-abc123"
  authentication_type = "API_KEY"
}

resource "aws_appsync_api_cache" "this" {
  api_caching_behavior = "FULL_REQUEST_CACHING"
  api_id               = "abc123"
  ttl                  = 3600
  type                 = "SMALL"

  at_rest_encryption_enabled = true
}

What this control checks

The policy checks any aws_appsync_api_cache resource for at_rest_encryption_enabled = true. The argument defaults to false if omitted, so explicit declaration is required. It fails when the argument is missing or set to false. To pass, set at_rest_encryption_enabled = true in your aws_appsync_api_cache block alongside the required api_id, api_caching_behavior, type, and ttl arguments.

Common pitfalls

  • Default is false

    The at_rest_encryption_enabled argument defaults to false, so declaring the cache block without it is the same as setting it to false. You won't get a Terraform error, you'll just silently fail the control. Explicitly set it to true.

  • Replacement required on change

    Toggling at_rest_encryption_enabled from false to true on an existing cache triggers a destroy-and-recreate cycle. Your production API will lose its cache for the duration of the replacement, which can surface as a latency spike depending on cache hit rate. Schedule the change during low-traffic hours.

  • Transit encryption is a separate argument

    Setting at_rest_encryption_enabled = true does nothing for in-transit protection. The aws_appsync_api_cache resource has a separate transit_encryption_enabled argument that defaults to false independently. Check both.

Audit evidence

Auditors expect AWS Config evaluations showing COMPLIANT for all AppSync API caches, or Prowler output confirming at_rest_encryption_enabled is true. The AppSync console's Caching page shows the encryption-at-rest setting for each API directly. A GetApiCache API call returns atRestEncryptionEnabled in the response, which should be true for every deployed cache; the calls appear in CloudTrail if you need an API-level evidence trail.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: appsync_graphql_api_cache_encryption_at_rest_enabled

  • AWS Config Managed Rules: APPSYNC_CACHE_CT_ENCRYPTION_AT_REST, APPSYNC_CACHE_ENCRYPTION_AT_REST

  • Checkov Check: CKV_AWS_214

  • Powerpipe Control: aws_compliance.control.appsync_graphql_api_cache_encryption_at_rest_enabled

  • AWS Security Hub Control: AppSync.1

Last reviewed: 2026-03-08