Open menu
-->

Enable ElastiCache In-Transit and At-Rest Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that your AWS ElastiCache Redis clusters are encrypted in order to meet security and compliance requirements (keep Personally Identifiable Information safe). Data encryption helps prevent unauthorized users from reading sensitive data available on your Redis clusters and their associated cache storage systems. This includes data saved to persistent media, known as data at-rest, and data that can be intercepted as it travels through the network, between clients and cache servers, known as data in-transit.

When working with production data it is highly recommended to implement encryption in order to protect it from unauthorized access and fulfill compliance requirements for data-at-rest and in-transit encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used in Financial Services, Healthcare and Telecommunications sectors. Note: As of December 2017, in-transit and at-rest encryption can be enabled only for AWS ElastiCache clusters with Redis engine version 3.2.6.

Audit

To determine in-transit and at-rest encryption configuration for your AWS ElastiCache Redis clusters, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

03 In the left navigation panel, under ElastiCache Dashboard, click Redis to access the cache clusters created with the Redis engine.

04 Select the ElastiCache Redis cache cluster that you want to examine and click on the Show/Hide Item Details button to expand the panel with the resource configuration details.

05 On the cluster details panel, check Engine Version Compatibility attribute value to determine the Redis engine version compatibility. If the attribute value is 3.2.6, continue with the next step, otherwise, repeat step no. 4 and 5.

06 On the same details panel, check the values set for Encryption in-transit and Encryption at-rest attributes in order to determine the status of the encryption feature. If the attributes values are both set to No, the selected Amazon ElastiCache Redis cache cluster does not have in-transit and at-rest encryption enabled.

07 Repeat steps no. 4 – 6 to verify in-transit and at-rest encryption status for other Amazon ElastiCache Redis clusters provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-cache-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers of all AWS ElastiCache Redis clusters with engine version compatibility set to 3.2.6, available in the selected region:

aws elasticache describe-cache-clusters
	--region us-east-1
	--output table
	--query 'CacheClusters[?(Engine==`redis`) && (EngineVersion==`3.2.6`)].ReplicationGroupId'

02 The command output should return a table with the requested Redis cluster identifiers:

-----------------------
|DescribeCacheClusters|
+---------------------+
|  cc-redis3-cache    |
|  cc-webapp-cache    |
|  cc-internal-cache  |
+---------------------+

03 Run describe-replication-groups command (OSX/Linux/UNIX) using the ID of the cache cluster that you want to examine as identifier and custom query filters to expose the status for both in-transit and at-rest encryption features for the selected AWS ElastiCache Redis cache cluster (replication group):

aws elasticache describe-replication-groups
	--region us-east-1
	--replication-group-id cc-redis3-cache
	--query 'ReplicationGroups[*].[AtRestEncryptionEnabled,TransitEncryptionEnabled]'

04 The command output should return the status flag for cluster in-transit encryption and at-rest encryption (true for enabled, false for disabled):

[
    false,
    false
]

If the describe-cluster command output returns false for both in-transit and at-rest encryption, as shown in the example above, the selected AWS ElastiCache Redis cache cluster does not have in-transit and at-rest encryption enabled.

05 Repeat step no. 3 and 4 to verify in-transit and at-rest encryption status for other Amazon ElastiCache Redis clusters provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable in-transit and at-rest encryption for your existing AWS ElastiCache Redis clusters, you must re-create them with the necessary encryption configuration. To relaunch the required cache clusters, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

03 In the left navigation panel, under ElastiCache Dashboard, click Redis to access the cache clusters created with the Redis engine.

04 Choose the cache cluster that you want to re-create and click on the Show/Hide Item Details button to expand the panel with the resource configuration details.

05 On the cluster details panel, copy the current values set for attributes such as Name, Engine Version Compatibility, Node Type, Number of Nodes/Shards, Multi-AZ, Availability Zones, Security and Parameter Group(s). The configuration information copied is required for the next step (i.e. Redis cache cluster relaunch).

06 Now it’s time to re-create the selected Redis cache cluster with a different encryption configuration. To relaunch the necessary cache cluster, perform the following actions:

  1. Click Create button from the dashboard top menu to start the setup process.
  2. On the Create your Amazon ElastiCache cluster page, perform the following actions:
    • Select Redis from the Cluster Engine section to select the required cache engine type.
    • Enter a name for the new cache cluster within Name box.
    • Select 3.2.6 for Redis engine version from Engine Version Compatibility dropdown list.
    • Select both Encryption in-transit and Encryption at-rest checkboxes to enable encryption.
    • Set or paste the configuration attribute values copied at step no. 5 inside the corresponding fields within Redis settings section.
    • Click Advanced Redis settings tab to expand the cluster advanced settings panel then select the same subnet and security group(s) used by the source cache cluster.
    • Click Create to launch your new Amazon ElastiCache Redis cluster. Once the cache cluster has been successfully created, its status should change from creating to available.

07 Once you have replaced the source cache cluster endpoint (e.g. cc-redis3-cache.aaabbb.0001.cccc.cache.amazonaws.com:6379) with the new cluster endpoint (e.g. cc-new-redis3-cache.aaabbb.0001.cccc.cache.amazonaws.com:3560) within your web application(s) configuration, it is safe to shut down and delete the source cache cluster in order to stop incurring charges for it. To remove the unencrypted ElastiCache cluster from your AWS account, perform the following:

  1. Select the cache cluster that you want to remove and click the Delete button from the dashboard top menu.
  2. In the Delete Cluster confirmation box, select Yes from the Create final backup dropdown menu, provide a name for the cluster backup, then click Delete.

08 Repeat steps no. 4 - 7 to enable in-transit and at-rest encryption for other Amazon ElastiCache Redis clusters provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Gather the configuration details from the source ElastiCache cluster (i.e. the one without in-transit and at-rest encryption enabled). Run describe-cache-clusters command (OSX/Linux/UNIX) using the ID of the cluster that you want to re-create (see Audit section part II to identify the right resource) to list its configuration details:

aws elasticache describe-replication-groups
	--region us-east-1
	--replication-group-id cc-redis3-cache

02 The command output should return the requested cache cluster configuration information:

{
    "ReplicationGroups": [
        {
            "Status": "available",
            "Description": "CC Main Web App Cache Cluster",
            "NodeGroups": [
                {
                    "Status": "available",
                    "Slots": "0-16383",
                    "NodeGroupId": "0001",
                    "NodeGroupMembers": [
                        {
                            "PreferredAvailabilityZone": "us-east-1f",
                            "CacheNodeId": "0001",
                            "CacheClusterId": "cc-redis3-cluster-0001-001"
                        },
                        {
                            "PreferredAvailabilityZone": "us-east-1c",
                            "CacheNodeId": "0001",
                            "CacheClusterId": "cc-redis3-cluster-0001-002"
                        }
                    ]
                }
            ],
 
            ...
 
            "ConfigurationEndpoint": {
                "Port": 6379,
                "Address": "cc-redis3-cache.aaabbb.000123456.cccc.cache.amazonaws.com"
            },
            "AtRestEncryptionEnabled": false,
            "ClusterEnabled": true,
            "ReplicationGroupId": "cc-redis3-cache",
            "SnapshotRetentionLimit": 1,
            "AutomaticFailover": "enabled",
            "TransitEncryptionEnabled": false,
            "SnapshotWindow": "07:00-08:00",
            "MemberClusters": [
                "cc-redis3-cluster-0001-001",
                "cc-redis3-cluster-0001-002"
            ],
            "CacheNodeType": "cache.r4.large"
        }
    ]
}

03 Re-create the source cache cluster (Redis replication group) with the create-replication-group command (OSX/Linux/UNIX), using the existing ElastiCache cluster configuration attribute values returned at the previous step and the --transit-encryption-enabled --at-rest-encryption-enabled configuration parameters:

aws elasticache create-replication-group
	--region us-east-1
	--replication-group-id cc-new3-cluster
	--replication-group-description "CC Main Web App Cache Cluster"
	--num-cache-clusters 2
	--cache-node-type cache.r4.large
	--engine Redis
	--engine-version 3.2.6
	--security-group-ids sg-aaabbbccc
	--automatic-failover-enabled
	--transit-encryption-enabled
	--at-rest-encryption-enabled

04 The command output should return the metadata for the newly created and encrypted Redis cache cluster:

{
    "ReplicationGroup": {
        "Status": "creating",
        "Description": "CC Main Web App Cache Cluster",
        "AtRestEncryptionEnabled": true,
        "ClusterEnabled": false,
        "ReplicationGroupId": "cc-new3-cluster",
        "AutomaticFailover": "enabled",
        "TransitEncryptionEnabled": true,
        "MemberClusters": [
            "cc-new3-cluster-001",
            "cc-new3-cluster-002"
        ],
        "CacheNodeType": "cache.r4.large",
        "PendingModifiedValues": {}
    }
}

05 Once you have replaced the source cluster endpoint with the new cluster endpoint within your application code, it is safe to shut down and delete the source cache cluster in order to stop incurring charges for it. To remove the unencrypted ElastiCache cluster from your AWS account, run delete-replication-group command (OSX/Linux/UNIX):

aws elasticache delete-replication-group
	--region us-east-1
	--replication-group-id cc-redis3-cache
	--final-snapshot-identifier cc-redis3-cache-final-snapshot

06 The command output should return the command request metadata:

{
    "ReplicationGroup": {
        "Status": "deleting",
        "AtRestEncryptionEnabled": false,
        "ReplicationGroupId": "cc-redis3-cache",
        "SnapshotRetentionLimit": 1,
        "AutomaticFailover": "enabled",
        "TransitEncryptionEnabled": false,
        "SnapshotWindow": "07:00-08:00",
        "PendingModifiedValues": {}
    }
}

07 Repeat steps no. 1 - 6 to enable in-transit and at-rest encryption for other Amazon ElastiCache Redis clusters provisioned in the current region.

08 CChange the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the entire process for other regions.

References

Publication date Dec 16, 2017