Skip to content
Ask AI about this
Help improve this page

DynamoDB Accelerator (DAX) clusters should be encrypted at rest

DAX caches frequently accessed DynamoDB items in memory and on disk. Without encryption at rest, anyone with access to the underlying storage media can read cached data in plaintext. This is especially dangerous because DAX often holds your hottest, most frequently queried records.

Encryption at rest for DAX cannot be toggled after cluster creation. If you skip it during initial provisioning, the only path forward is destroying and recreating the cluster, which means cache downtime and a cold start. Getting this right on day one saves real operational pain later.

Retrofit consideration

DAX encryption at rest cannot be enabled on an existing cluster. You must destroy and recreate the cluster with server_side_encryption enabled, which causes full cache loss and downtime.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_dax_cluster.

resource "aws_dax_cluster" "this" {
  cluster_name       = "pfxdax${random_integer.this.id}"
  iam_role_arn       = "arn:aws:iam::123456789012:role/example-role"
  node_type          = "dax.t3.small"
  replication_factor = 1
  subnet_group_name  = "example-dax-subnet-group"

  server_side_encryption {
    enabled = true
  }
}

What this control checks

The control validates that each aws_dax_cluster resource includes a server_side_encryption block with enabled set to true. It fails if the block is absent or enabled is false. DAX encryption at rest uses AWS owned keys by default; there is no option to specify a customer managed KMS key. The single required argument is server_side_encryption { enabled = true } on the aws_dax_cluster resource.

Common pitfalls

  • Encryption cannot be added post-creation

    Unlike most AWS resources, DAX does not support modifying encryption at rest after creation. Calling aws dax create-cluster without --sse-specification Enabled=true permanently locks the cluster as unencrypted. In Terraform, adding server_side_encryption { enabled = true } to an existing aws_dax_cluster forces resource replacement (destroy and recreate), causing full cache eviction.

  • No customer managed KMS key support

    DAX encryption at rest only supports AWS owned keys. If your compliance program requires customer managed keys (CMKs) for all data stores, DAX cannot meet that requirement natively. Document this as a compensating control gap.

  • Confusing server_side_encryption with in-transit

    DAX has separate settings for at-rest and in-transit encryption. The server_side_encryption block controls at-rest. The cluster_endpoint_encryption_type argument (for example TLS) controls endpoint in-transit encryption. Enabling one does not enable the other.

Audit evidence

AWS Config evaluation results for the dax-encryption-enabled managed rule should show all DAX clusters COMPLIANT. The aws dax describe-clusters CLI output includes an SSEDescription object; Status should be ENABLED for every cluster. DAX console screenshots showing the encryption status column can supplement automated evidence.

Security Hub findings for this control, filtered across all accounts and regions running DAX clusters, work as continuous assurance evidence. CloudTrail CreateCluster events confirm that encryption was specified at provisioning time.

Framework-specific interpretation

PCI DSS v4.0: DAX caches that hold cardholder data are storage locations under Requirement 3.5, full stop. PCI DSS v4.0 requires PANs be rendered unreadable wherever stored; encryption at rest satisfies that for both the in-memory and on-disk data DAX holds.

HIPAA Omnibus Rule 2013: Under 45 CFR 164.312(a)(2)(iv), encryption at rest for ePHI is an addressable specification, but addressable does not mean optional. If DAX is caching DynamoDB data that contains ePHI, the cluster must have server-side encryption enabled to meet that specification.

GDPR: Article 32 requires technical measures appropriate to the risk of unauthorized access to personal data. An unencrypted DAX cluster caching personal data is a straightforward gap against that obligation.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: dax_cluster_encryption_at_rest_enabled

  • AWS Config Managed Rule: DAX_ENCRYPTION_ENABLED

  • Checkov Check: CKV_AWS_47

  • Powerpipe Control: aws_compliance.control.dax_cluster_encryption_at_rest_enabled

  • Prowler Check: dynamodb_accelerator_cluster_encryption_enabled

  • AWS Security Hub Control: DynamoDB.3

  • KICS Query: f11aec39-858f-4b6f-b946-0a1bf46c0c87

  • Trivy Check: AWS-0023

Last reviewed: 2026-03-09