Skip to main content

DAX cluster encryption should not be disabled

  • GG_ID: GG_IAC_0037
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


Amazon DynamoDB Accelerator (DAX) is an in-memory cache for Amazon DynamoDB. Upon receiving a request it checks for the item in its cache and if not found sends the request to DynamoDB. The data should always be encrypted at rest to protect the data if accesses are compromised.


Not encrypting data at rest could lead to data leak in case of attack.

Remediation guidelines#

Enable DAX data encryption at rest.

External documentation#