AWS Security ChangesHomeSearch

AWS appsync high security documentation change

Service: appsync · 2025-06-10 · Security-related high

File: appsync/latest/devguide/enabling-caching.md

Summary

Enforced encryption at rest and in transit by default for new caches, removing optional encryption settings. Existing caches require recreation to enable encryption.

Security assessment

Mandates encryption for all new caches, addressing potential data exposure risks by eliminating unencrypted caching options. This is a proactive security hardening measure to prevent insecure configurations.

Diff

diff --git a/appsync/latest/devguide/enabling-caching.md b/appsync/latest/devguide/enabling-caching.md
index 099099baa..039b340c3 100644
--- a//appsync/latest/devguide/enabling-caching.md
+++ b//appsync/latest/devguide/enabling-caching.md
@@ -183,7 +183 @@ This setting defines the amount of time to store cached entries in memory. The m
-Cache encryption comes in the following two flavors. These are similar to the settings that ElastiCache (Redis OSS) allows. You can enable the encryption settings only when first enabling caching for your AWS AppSync API.
-
-  * Encryption in transit – Requests between AWS AppSync, the cache, and data sources (except insecure HTTP data sources) are encrypted at the network level. Because there is some processing needed to encrypt and decrypt the data at the endpoints, in-transit encryption can impact performance.
-
-  * Encryption at rest – Data saved to disk from memory during swap operations are encrypted at the cache instance. This setting also impacts performance.
-
-
+When you use AWS AppSync's server-side data caching feature, encryption at rest and in transit is always enabled for new caches, and can't be disabled.
@@ -190,0 +185 @@ Cache encryption comes in the following two flavors. These are similar to the se
+To enable encryption on an existing API cache, delete the cache and then recreate it.