Ensure AWS Appsync API Cache is encrypted at rest

Error: AWS Appsync API Cache is not encrypted at rest

Bridgecrew Policy ID: BC_AWS_GENERAL_156
Checkov Check ID: CKV_AWS_214
Severity: LOW

AWS Appsync API Cache is not encrypted at rest


Encryption of data at rest is a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption. If enabled, the feature encrypts the domain's: indices, logs, swap files, all data in the application directory, and automated snapshots.

We recommend you implement encryption at rest in order to protect a data store containing sensitive information from unauthorized access, and fulfill compliance requirements.

Fix - Runtime

Fix - Buildtime

resource "aws_appsync_api_cache" "pass" {
  api_id                     = aws_appsync_graphql_api.default.id
  transit_encryption_enabled = true
  at_rest_encryption_enabled = true
  ttl                        = 60
  type                       = "SMALL"
  api_caching_behavior       = "FULL_REQUEST_CACHING"