Control: 7 DynamoDB Accelerator clusters should be encrypted in transit
Description
This control checks whether an Amazon DynamoDB Accelerator (DAX) cluster is encrypted in transit, with the endpoint encryption type set to TLS. The control fails if the DAX cluster isn't encrypted in transit.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. You should only allow encrypted connections over TLS to access DAX clusters. However, encrypting data in transit can affect performance. You should test your application with encryption turned on to understand the performance profile and the impact of TLS.
Remediation
You can't change the TLS encryption setting after creating a DAX cluster. To encrypt an existing DAX cluster, create a new cluster with encryption in transit enabled, shift your application's traffic to it, and then delete the old cluster. For more information, see Using deletion protection in the Amazon DynamoDB Developer Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_dynamodb_7Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_dynamodb_7 --shareSQL
This control uses a named query:
select arn as resource, case when cluster_endpoint_encryption_type = 'TLS' then 'ok' else 'alarm' end as status, case when cluster_endpoint_encryption_type = 'TLS' then title || ' encryption in transit rest enabled.' else title || ' encryption in transit disabled.' end as reason , region, account_idfrom aws_dax_cluster;