Amazon DynamoDB
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. Amazon DynamoDB

      DynamoDB Accelerator Cluster Encryption Not Enabled

      This plugin ensures DynamoDB Cluster Accelerator DAX clusters have encryption enabled

      Risk Level: Medium

      Description

      This plugin ensures DynamoDB Cluster Accelerator DAX clusters have encryption enabled. Encryption at rest secures DynamoDB DAX clusters from unauthorized access. For best security posture, encryption must be enabled for DAX clusters.

      About the Service

      Amazon DynamoDB: As per the AWS documentation, Amazon DynamoDB is a fully managed, NoSQL database designed to run high-performance applications at any scale. With the high-performing and serverless service, DynamoDB also offers utilities such as built-in security, continuous backups, and data export tools.

      Impact

      It is highly recommended to properly encrypt Amazon DynamoDB clusters with encryption-at-rest. In case, encryption is not enabled, the data will be visible to an attacker if compromised.

      Steps to Reproduce

      Using AWS Console-

      1. Log In to your AWS Console.
      2. Open the DynamoDB Management Console. You can use this link (https://console.aws.amazon.com/dynamodbv2) to navigate directly if already logged in. 
      3. Move to the Clusters in the DAX section from the left navigation pane.
      4. A list of Clusters in the region will appear. Select the one you wish to examine by clicking on its Name.
      5. Move to the Settings Tab.
      6. In the Security Configuration section verify if the Encryption at rest is enabled or not. If not, the vulnerability exists.
      7. Repeat steps for all the Clusters you want to investigate.

      Steps for Remediation

      Create a new DAX cluster with encryption enabled:

      1. Log In to your AWS Console.
      2. Open the DynamoDB Management Console. You can use this link (https://console.aws.amazon.com/dynamodbv2) to navigate directly if already logged in. 
      3. Move to the Clusters in the DAX section from the left navigation pane.
      4. Click on Create Cluster. 
      5. Specify the details as per requirements. In Step 3 (Configure Security) section, keep both the encryption options as checked.
      6. Proceed with the steps to create a new cluster. Eventually change the cluster endpoint configuration to that of the dynamoDB application you are using.
      7. Now select the vulnerable cluster by clicking on the checkbox next to it.
      8. Click on the Delete option to safely delete the cluster.
      9. Repeat steps for all the vulnerable clusters.