Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · DynamoDB

DynamoDB.3: DAX clusters should be encrypted at rest

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub DynamoDB.3 check?

DynamoDB.3 checks that a DynamoDB Accelerator (DAX) cluster is encrypted at rest. It reports FAILED when the cluster was created without encryption at rest enabled.

Why does DynamoDB.3 matter?

DAX caches data on its own nodes, so even if the source table is encrypted, the cache is a separate copy that needs its own encryption boundary. An unencrypted DAX cluster keeps frequently-accessed data in plaintext outside KMS, which is exactly the hot data an attacker would want.

How do I fix DynamoDB.3?

  1. Audit clusters and check their encryption-at-rest status with the DAX describe-clusters API.
  2. Because encryption at rest can only be set at cluster creation, create a new cluster with encryption enabled, choosing an AWS-owned or customer-managed KMS key.
  3. Migrate workloads and cut the application's DAX endpoint over.
  4. Delete the old unencrypted cluster.

Remediation script · bash

# 1. Find unencrypted databases across engines (sample: RDS, Redshift, OpenSearch).
aws rds describe-db-instances \
  --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' --output text
aws redshift describe-clusters \
  --query 'Clusters[?Encrypted==`false`].ClusterIdentifier' --output text

# 2. Immutable engine (RDS): snapshot, copy WITH a KMS key, restore the new instance.
SRC=prod-orders-db; KEY=alias/db-encryption
aws rds create-db-snapshot --db-instance-identifier $SRC --db-snapshot-identifier ${SRC}-snap
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap
aws rds copy-db-snapshot \
  --source-db-snapshot-identifier ${SRC}-snap \
  --target-db-snapshot-identifier ${SRC}-snap-enc \
  --kms-key-id $KEY
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap-enc
aws rds restore-db-instance-from-db-snapshot \
  --db-instance-identifier ${SRC}-enc --db-snapshot-identifier ${SRC}-snap-enc

# 3. In-place engine (Redshift): background migration, run in a maintenance window.
aws redshift modify-cluster --cluster-identifier analytics-prod \
  --encrypted --kms-key-id $KEY

# 4. Prevent recurrence: enforce encryption by default for new EBS-backed engines.
aws ec2 enable-ebs-encryption-by-default

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt AWS databases at rest.

Is DynamoDB.3 a false positive?

DynamoDB.3 can never be fixed in place — encryption at rest is a creation-time setting, so the only path is create-migrate-cutover-delete.

Full lesson Encrypt AWS databases at rest Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for DynamoDB controls ↗ Check your own account for DynamoDB.3 →
Part of the learning path Encrypt everything

More DynamoDB controls

  • DynamoDB.1 DynamoDB tables should auto-scale capacity
  • DynamoDB.2 DynamoDB tables should have PITR
  • DynamoDB.4 DynamoDB tables should be in a backup plan
  • DynamoDB.6 DynamoDB tables should have deletion protection
  • DynamoDB.7 DAX clusters should be encrypted in transit