Skip to content
Ask AI about this
Help improve this page

AppSync API caches should have encryption in transit enabled

AppSync API caches store resolved query results temporarily. Without transit encryption, data flowing between the AppSync service and the cache node travels in plaintext within the VPC, where it's exposed to packet interception or man-in-the-middle attacks. TLS adds negligible latency overhead on this path.

Cache contents often mirror sensitive backend data: user records, financial summaries, access tokens. Protecting that data in motion is a baseline requirement for any production GraphQL tier.

Retrofit consideration

Terraform treats transit_encryption_enabled as a force-replacement argument. Changing it on an existing aws_appsync_api_cache destroys and recreates the resource, leaving the API without a cache until the replacement completes. Schedule this during a maintenance window.

Implementation

Choose the approach that matches how you manage Terraform.

If you use terraform-aws-modules/appsync/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "appsync" {
  source  = "terraform-aws-modules/appsync/aws"
  version = ">=3.0.0"

  authentication_type = "AWS_IAM"
  log_field_log_level = "ERROR"
  logging_enabled     = true
  name                = "pofix-abc123"
  schema              = "type Query { hello: String }"

  cache_transit_encryption_enabled = true
}

Use AWS provider resources directly. See docs for the resources involved: aws_appsync_api_cache.

resource "aws_appsync_graphql_api" "this" {
  name                = "pofix-abc123"
  authentication_type = "API_KEY"
}

resource "aws_appsync_api_cache" "this" {
  api_caching_behavior = "FULL_REQUEST_CACHING"
  api_id               = "abc123"
  ttl                  = 3600
  type                 = "SMALL"

  transit_encryption_enabled = true
}

What this control checks

The control validates the aws_appsync_api_cache resource. transit_encryption_enabled must be set to true; it fails when the argument is omitted or set to false. The resource must also reference a valid api_id from an aws_appsync_graphql_api and specify a type (e.g., SMALL, MEDIUM, LARGE). If no aws_appsync_api_cache resource exists for a given API, the control does not apply, but any cache that does exist must have transit_encryption_enabled = true to pass.

Common pitfalls

  • Cache replacement on toggle

    The cache is destroyed and recreated when transit_encryption_enabled flips from false to true, because Terraform treats this as a force-replacement argument. The API loses caching entirely until the new resource is live. Plan this during a maintenance window and confirm the cache type and TTL settings are preserved in your configuration before applying.

  • No cache means no evaluation

    Get this wrong and it's easy to read silence as compliance: if an AppSync API has no aws_appsync_api_cache resource, the control never fires. Teams using per-resolver caching without an API-level cache resource won't see a failure, just no result.

  • Confusing at_rest and in_transit arguments

    Use a dedicated check for both transit_encryption_enabled and at_rest_encryption_enabled. Setting one does not imply the other; both must be explicitly true if your policy requires full encryption coverage. A common pattern after a finding is enabling transit encryption and leaving at-rest encryption unset.

Audit evidence

Config rule evaluation results showing each AppSync API cache as COMPLIANT satisfy the primary requirement. The CLI command aws appsync get-api-caching --api-id <id> returns the apiCaching.transitEncryptionEnabled field; it should be true for every API using caching.

Screenshots from the AppSync console showing the cache configuration with transit encryption enabled, or compliance scan reports from tools like Prowler that explicitly check this setting, work as supporting point-in-time evidence.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: appsync_graphql_api_cache_encryption_in_transit_enabled

  • AWS Config Managed Rule: APPSYNC_CACHE_CT_ENCRYPTION_IN_TRANSIT

  • Checkov Check: CKV_AWS_215

  • Powerpipe Control: aws_compliance.control.appsync_graphql_api_cache_encryption_in_transit_enabled

  • AWS Security Hub Control: AppSync.6

Last reviewed: 2026-03-09