AWS Appsync API Cache is not encrypted at rest

Description

Encryption of data at rest is a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption. If enabled, the feature encrypts the domain's: indices, logs, swap files, all data in the application directory, and automated snapshots.

We recommend you implement encryption at rest in order to protect a data store containing sensitive information from unauthorized access, and fulfill compliance requirements.

Fix - Runtime

Fix - Buildtime

resource "aws_appsync_api_cache" "pass" {
  api_id                     = aws_appsync_graphql_api.default.id
  transit_encryption_enabled = true
  at_rest_encryption_enabled = true
  ttl                        = 60
  type                       = "SMALL"
  api_caching_behavior       = "FULL_REQUEST_CACHING"
}