> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Encryption At Rest Should Be Enabled For App Sync Cache

### More Info:

This rule checks whether encryption at rest is enabled for the cache of an AWS AppSync API. Enabling encryption at rest helps protect sensitive data stored in the cache from unauthorized access or tampering. It ensures that data is encrypted while stored, providing an additional layer of security.

### Risk Level

Medium

### Address

Security

### Compliance Standards

CBP,SEBI

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console.
        2. Navigate to the AppSync service. You can find this by typing 'AppSync' into the search bar at the top of the console.
        3. In the AppSync dashboard, select the APIs from the navigation pane.
        4. For each API, click on its name to open its details page. In the details page, click on 'Settings' in the left-hand navigation pane.
        5. In the Settings page, look for the 'Cache' section. If the 'Encryption at Rest' field is set to 'Disabled', then Encryption at Rest is not enabled for the App Sync Cache.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the AppSync resources.

        2. Once the AWS CLI is set up, you can use the following command to list all the AppSync APIs in your account:

           ```
           aws appsync list-graphql-apis --region your-region
           ```

           Replace 'your-region' with the region where your resources are located. This command will return a list of all the AppSync APIs in the specified region.

        3. To check the encryption at rest configuration for each API, you can use the following command:

           ```
           aws appsync get-graphql-api --api-id your-api-id --region your-region
           ```

           Replace 'your-api-id' with the ID of the API you want to check and 'your-region' with the region where the API is located. This command will return the details of the specified API, including the encryption at rest configuration.

        4. To check if encryption at rest is enabled, you need to look at the 'userPoolConfig' field in the output. If the 'awsCognitoUserPools' field is set to 'true', then encryption at rest is enabled. If it's set to 'false' or not present, then encryption at rest is not enabled.

           Note: The 'awsCognitoUserPools' field might not be present if the API is not using AWS Cognito User Pools for authorization. In this case, you need to check the 'authorizationConfig' field to see if encryption at rest is enabled.
      </Accordion>

      <Accordion title="Using Python">
        To check if Encryption At Rest is enabled for App Sync Cache in AWS App Sync, you can use the AWS SDK for Python (Boto3). Here are the steps:

        1. **Set up AWS SDK for Python (Boto3):**
           First, you need to install and configure Boto3. You can install it using pip:

           ```
           pip install boto3
           ```

           Then, configure your AWS credentials. You can do this by setting the following environment variables:

           ```
           AWS_ACCESS_KEY_ID = 'your_access_key'
           AWS_SECRET_ACCESS_KEY = 'your_secret_key'
           ```

        2. **Import Boto3 and Initialize AppSync Client:**
           Now, you can import Boto3 in your Python script and initialize the AppSync client.

           ```python theme={null}
           import boto3

           client = boto3.client('appsync')
           ```

        3. **List AppSync APIs and Check Encryption Configuration:**
           You can use the `list_graphql_apis` method to get a list of all AppSync APIs. Then, for each API, you can check the `xrayEnabled` attribute in the `logConfig` field to see if Encryption At Rest is enabled.

           ```python theme={null}
           response = client.list_graphql_apis()

           for api in response['graphqlApis']:
               if 'logConfig' in api and 'xrayEnabled' in api['logConfig']:
                   if api['logConfig']['xrayEnabled']:
                       print(f"Encryption At Rest is enabled for {api['name']}")
                   else:
                       print(f"Encryption At Rest is not enabled for {api['name']}")
           ```

        4. **Handle Pagination:**
           The `list_graphql_apis` method returns a maximum of 25 APIs at a time. If you have more than 25 APIs, you need to handle pagination by using the `nextToken` parameter.

           ```python theme={null}
           next_token = None

           while True:
               if next_token:
                   response = client.list_graphql_apis(nextToken=next_token)
               else:
                   response = client.list_graphql_apis()

               for api in response['graphqlApis']:
                   if 'logConfig' in api and 'xrayEnabled' in api['logConfig']:
                       if api['logConfig']['xrayEnabled']:
                           print(f"Encryption At Rest is enabled for {api['name']}")
                       else:
                           print(f"Encryption At Rest is not enabled for {api['name']}")

               if 'nextToken' in response:
                   next_token = response['nextToken']
               else:
                   break
           ```

        Please note that this script assumes that you have the necessary permissions to list and describe AppSync APIs. If you don't, you may need to adjust your IAM policies accordingly.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration of enabling encryption at rest for App Sync cache in AWS, follow these steps using the AWS Management Console:

        1. **Navigate to AWS AppSync Console:**
           * Go to the AWS Management Console ([https://console.aws.amazon.com](https://console.aws.amazon.com)).
           * In the "Find services" search bar, type "AppSync" and select "AWS AppSync" from the options.

        2. **Select the AppSync API:**
           * In the AWS AppSync console, select the API for which you want to enable encryption at rest.

        3. **Configure Data Sources:**
           * In the left navigation pane, click on "Data sources."
           * Select the data source associated with your App Sync cache.

        4. **Enable Encryption at Rest:**
           * Under the data source settings, look for the option to enable encryption at rest.
           * Click on the data source configuration and find the setting related to encryption at rest.
           * Enable encryption at rest by selecting the appropriate encryption option (e.g., AWS Key Management Service (KMS) key).

        5. **Select KMS Key:**
           * If you choose AWS KMS for encryption, select the KMS key that you want to use for encrypting your data at rest.

        6. **Save Changes:**
           * After enabling encryption at rest and selecting the KMS key, save the changes to apply the configuration.

        7. **Verify Encryption at Rest:**
           * To verify that encryption at rest is enabled for your App Sync cache, you can check the data source settings or review the encryption settings in the AWS Key Management Service console.

        By following these steps, you can remediate the misconfiguration of enabling encryption at rest for App Sync cache in AWS using the AWS Management Console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration of enabling encryption at rest for App Sync cache in AWS using AWS CLI, follow these steps:

        1. **Enable Encryption at Rest for the App Sync Cache**:

           Run the following AWS CLI command to update the App Sync cache with encryption at rest enabled:

           ```bash theme={null}
           aws appsync update-graphql-api --api-id YOUR_API_ID --additional-authentication-providers "CognitoUserPoolConfig={UserPoolId=YOUR_USER_POOL_ID,AppIdClientRegex=YOUR_APP_CLIENT_ID,DefaultAction=ALLOW}" --log-configs "CloudWatchLogsRoleArn=YOUR_CLOUDWATCH_LOGS_ROLE_ARN,FieldLogLevel=ALL" --xray-enabled --cache-key-parameters "QUERY" --default-resolver "CachingConfig={ttl=300,cachingKeys=[]}" --additional-resolvers "typeName=Query,fieldName=getPost,fieldName=getUser,resolver=YOUR_RESOLVER_ARN" --region YOUR_REGION --authentication-type API_KEY --log-settings "RoleArn=YOUR_LOG_ROLE_ARN,LogLevel=ALL" --name YOUR_API_NAME --default-authentication-type API_KEY --additional-authentication-providers "CognitoUserPoolConfig={UserPoolId=YOUR_USER_POOL_ID,AppIdClientRegex=YOUR_APP_CLIENT_ID,DefaultAction=ALLOW}" --xray-enabled
           ```

           Replace the placeholders `YOUR_API_ID`, `YOUR_USER_POOL_ID`, `YOUR_APP_CLIENT_ID`, `YOUR_CLOUDWATCH_LOGS_ROLE_ARN`, `YOUR_LOG_ROLE_ARN`, `YOUR_RESOLVER_ARN`, `YOUR_REGION`, and `YOUR_API_NAME` with your actual values.

        2. **Verify Encryption at Rest**:

           After running the command, verify that encryption at rest is enabled for the App Sync cache by checking the cache configuration settings in the AWS Management Console or by running the `describe-graphql-api` command using AWS CLI.

        By following these steps, you can remediate the misconfiguration of enabling encryption at rest for App Sync cache in AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of enabling encryption at rest for AWS AppSync cache using Python, you can follow these steps:

        1. Import the necessary libraries:

        ```python theme={null}
        import boto3
        ```

        2. Initialize the AWS AppSync client:

        ```python theme={null}
        client = boto3.client('appsync')
        ```

        3. List all the GraphQL APIs in your AWS account:

        ```python theme={null}
        response = client.list_graphql_apis()
        ```

        4. Identify the specific GraphQL API for which you want to enable encryption at rest for the cache. You can use the API name or ID to filter the API.

        5. Update the GraphQL API to enable encryption at rest for the cache:

        ```python theme={null}
        api_id = 'YOUR_API_ID'
        client.update_graphql_api(
            apiId=api_id,
            cachingConfig={
                'cachingKeys': [],
                'ttl': 60,
                'transitEncryptionEnabled': True,  # Enable encryption at rest for the cache
                'cachingCidrBlocks': []
            }
        )
        ```

        6. Verify that the encryption at rest for the cache has been enabled successfully by checking the caching configuration of the GraphQL API:

        ```python theme={null}
        response = client.get_graphql_api(apiId=api_id)
        caching_config = response['graphqlApi']['cachingConfig']
        transit_encryption_enabled = caching_config.get('transitEncryptionEnabled', False)
        print(f"Encryption at rest for cache is enabled: {transit_encryption_enabled}")
        ```

        By following these steps and running the Python script, you can successfully remediate the misconfiguration of enabling encryption at rest for AWS AppSync cache.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
