Ensure DAX is securely encrypted at rest

Error: DAX is not securely encrypted at rest

Bridgecrew Policy ID: BC_AWS_GENERAL_23
Checkov Check ID: CKV_AWS_47
Severity: HIGH

DAX is not securely encrypted at rest


Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection, helping secure your data from unauthorized access to underlying storage.

With encryption at rest the data persisted by DAX on disk is encrypted using 256-bit Advanced Encryption Standard (AES-256). DAX writes data to disk as part of propagating changes from the primary node to read replicas. DAX encryption at rest automatically integrates with AWS KMS for managing the single service default key used to encrypt clusters.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon DynamoDB console.
  3. In the navigation pane on the left side of the console, under DAX, select Clusters.
  4. Click Create Cluster.
  5. For Cluster name, enter a short name for your cluster. Select the node type for all of the nodes in the cluster, and for the cluster size, use 3 nodes.
  6. In Encryption, make sure that Enable encryption is selected.
    7 After selecting the IAM role, subnet group, security groups, and cluster settings, select Launch cluster.

CLI Command

To creates a DAX cluster:

aws dax create-cluster \
    --cluster-name daxcluster \
    --node-type dax.r4.large \
    --replication-factor 3 \
    --iam-role-arn roleARN  \
    --sse-specification Enabled=true

Fix - Buildtime


  • Resource: aws_dax_cluster
  • Arguments: server_side_encryption - (Optional) Encrypt at rest options, enabled/disabled.
resource "aws_dax_cluster" "example" {
  cluster_name       = "cluster-example"
+ server_side_encryption = enabled


  • Resource: AWS::DAX::Cluster
  • Arguments: Properties.SSESpecification.SSEEnabled - (Optional) Encrypt at rest options, enabled/disabled.
    Type: AWS::DAX::Cluster
+     SSESpecification:
+       SSEEnabled: true