DynamoDB Accelerator (DAX) Cluster Encryption in Transit

Overview

This check verifies that your Amazon DynamoDB Accelerator (DAX) clusters have TLS encryption enabled for all client connections. TLS (Transport Layer Security) protects data as it moves between your applications and the DAX cluster.

Risk

Without encryption in transit, your DAX clusters are vulnerable to:

• Eavesdropping: Attackers on the network could intercept and read sensitive data, queries, and credentials
• Data tampering: Requests and responses could be modified in transit, potentially leading to cache poisoning
• Session hijacking: Without TLS protection, attackers could take over legitimate sessions

This is a medium severity finding because it exposes data to interception during network transmission.

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to manage DAX clusters
• An existing VPC with subnets for the DAX cluster

Important: TLS encryption cannot be enabled on existing DAX clusters. You must create a new cluster with TLS enabled, migrate your applications, then delete the old cluster.

AWS Console Method

1. Open the DynamoDB console
2. In the left navigation, select DAX > Clusters
3. Click Create cluster
4. Configure your cluster settings:
   • Enter a Cluster name
   • Select a Node type (e.g., dax.r5.large)
   • Set the Cluster size (number of nodes)
5. Under Encryption, find Encryption in transit
6. Select TLS from the dropdown
7. Complete the remaining configuration (VPC, subnet group, IAM role, security groups)
8. Click Create cluster
9. Update your application to use the new cluster endpoint
10. Once verified, delete the old unencrypted cluster

AWS CLI (optional)

Create a new DAX cluster with TLS encryption enabled:

aws dax create-cluster \
    --cluster-name my-secure-dax-cluster \
    --node-type dax.r5.large \
    --replication-factor 3 \
    --iam-role-arn arn:aws:iam::123456789012:role/DAXServiceRole \
    --subnet-group-name my-dax-subnet-group \
    --security-group-ids sg-0123456789abcdef0 \
    --cluster-endpoint-encryption-type TLS \
    --region us-east-1

Parameters to customize:

• --cluster-name: Your cluster identifier (1-20 alphanumeric characters)
• --node-type: Compute capacity (e.g., dax.r5.large, dax.r5.xlarge)
• --replication-factor: Number of nodes (3-10 recommended for production)
• --iam-role-arn: IAM role that grants DAX access to DynamoDB
• --subnet-group-name: Subnet group for the cluster
• --security-group-ids: Security groups to apply

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: DAX cluster with encryption in transit enabled

Parameters:
  ClusterName:
    Type: String
    Default: my-dax-cluster
    Description: Name of the DAX cluster

  NodeType:
    Type: String
    Default: dax.r5.large
    Description: Node type for the DAX cluster

  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: Subnet IDs for the DAX cluster

Resources:
  DAXServiceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${ClusterName}-dax-role'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: dax.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess

  DAXSubnetGroup:
    Type: AWS::DAX::SubnetGroup
    Properties:
      SubnetGroupName: !Sub '${ClusterName}-subnet-group'
      Description: Subnet group for DAX cluster
      SubnetIds: !Ref SubnetIds

  DAXCluster:
    Type: AWS::DAX::Cluster
    Properties:
      ClusterName: !Ref ClusterName
      Description: DAX cluster with TLS encryption enabled
      IAMRoleARN: !GetAtt DAXServiceRole.Arn
      NodeType: !Ref NodeType
      ReplicationFactor: 3
      SubnetGroupName: !Ref DAXSubnetGroup
      ClusterEndpointEncryptionType: TLS

Outputs:
  ClusterArn:
    Description: ARN of the DAX cluster
    Value: !GetAtt DAXCluster.Arn
  ClusterEndpoint:
    Description: Endpoint of the DAX cluster
    Value: !GetAtt DAXCluster.ClusterDiscoveryEndpoint

Deploy with:

aws cloudformation create-stack \
    --stack-name secure-dax-cluster \
    --template-body file://dax-cluster.yaml \
    --parameters ParameterKey=SubnetIds,ParameterValue="subnet-abc123,subnet-def456" \
    --capabilities CAPABILITY_NAMED_IAM \
    --region us-east-1

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "cluster_name" {
  description = "Name of the DAX cluster"
  type        = string
  default     = "my-dax-cluster"
}

variable "subnet_ids" {
  description = "List of subnet IDs for the DAX cluster"
  type        = list(string)
}

resource "aws_iam_role" "dax_role" {
  name = "${var.cluster_name}-dax-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "dax.amazonaws.com"
        }
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "dax_dynamodb_access" {
  role       = aws_iam_role.dax_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess"
}

resource "aws_dax_subnet_group" "main" {
  name       = "${var.cluster_name}-subnet-group"
  subnet_ids = var.subnet_ids
}

resource "aws_dax_cluster" "main" {
  cluster_name       = var.cluster_name
  iam_role_arn       = aws_iam_role.dax_role.arn
  node_type          = "dax.r5.large"
  replication_factor = 3
  subnet_group_name  = aws_dax_subnet_group.main.name

  # Enable TLS encryption in transit
  cluster_endpoint_encryption_type = "TLS"
}

output "cluster_arn" {
  description = "ARN of the DAX cluster"
  value       = aws_dax_cluster.main.arn
}

output "cluster_endpoint" {
  description = "Endpoint of the DAX cluster"
  value       = aws_dax_cluster.main.cluster_address
}

Verification

After creating your new cluster, verify TLS encryption is enabled:

1. Open the DynamoDB console
2. Navigate to DAX > Clusters
3. Select your cluster
4. In the cluster details, confirm Encryption in transit shows TLS

CLI verification

aws dax describe-clusters \
    --cluster-names my-secure-dax-cluster \
    --query 'Clusters[0].ClusterEndpointEncryptionType' \
    --region us-east-1

The output should return "TLS".

To check all DAX clusters in your account:

aws dax describe-clusters \
    --query 'Clusters[*].{Name:ClusterName,Encryption:ClusterEndpointEncryptionType}' \
    --region us-east-1

Additional Resources

• AWS Documentation: DAX Encryption in Transit
• AWS Documentation: DAX Cluster Management
• AWS Security Hub: DynamoDB Controls

Notes

• Encryption cannot be changed after creation: You must create a new cluster with TLS enabled and migrate your applications. Plan for downtime or implement a blue-green deployment strategy.
• Client SDK requirements: When using TLS-encrypted DAX clusters, ensure your DAX client SDK supports TLS connections. Update to the latest SDK version.
• Performance impact: TLS encryption adds minimal overhead. The security benefits far outweigh any performance considerations.
• Defense in depth: Combine TLS encryption with VPC security groups, private subnets, and least-privilege IAM policies for comprehensive protection.
• Related frameworks: This control is referenced by C5, ISO27001, KISA-ISMS-P, NIS2, PCI, and SOC2 compliance frameworks.