Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Redis In-Transit and At-Rest Encryption

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EC-014

Ensure that your Amazon ElastiCache Redis cache clusters are encrypted in order to meet security and compliance requirements. Encryption helps prevent unauthorized users from reading sensitive data available on your Redis cache clusters and their associated cache storage systems. This includes data saved to persistent media, known as data at-rest, and data that can be intercepted as it travels through the network, between clients and cache servers, known as data in-transit.

This rule can help you with the following compliance standards:

  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When working with production and confidential data it is strongly recommended to implement encryption in order to protect your data from unauthorized access and fulfill compliance requirements for data-at-rest and in-transit encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used in Financial Services, Healthcare, and Telecommunications sectors.

Audit

To determine if in-transit and at-rest encryption is enabled for your ElastiCache Redis cache clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis clusters to access the cache clusters created with the Redis cache engine.

04 Click on the name (link) of the Redis cache cluster that you want to examine and choose Modify.

05 On the Modify <cache-cluster-name> page, in the Security section, check the Encryption at rest and Encryption in transit attributes values. If both Encryption at rest and Encryption in transit are set to Disabled, in-transit and at-rest encryption is not enabled for the selected Amazon ElastiCache Redis cache cluster.

06 Repeat steps no. 4 and 5 for each Redis cache cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-replication-groups command (OSX/Linux/UNIX) with custom query filters to list the identifier of each Redis cache cluster (replication group) available in the selected region: 

aws elasticache describe-replication-groups
  --region us-east-1
  --query 'ReplicationGroups[*].ReplicationGroupId'

02 The command output should return an array with the requested replication group names: 

[
    "cc-redis-cache-cluster",
    "cc-redis-project-cluster"
]

03 Run describe-replication-groups command (OSX/Linux/UNIX) using the name of the Redis cache cluster that you want to examine as the identifier parameter and custom query filters to describe the configuration status for both in-transit and at-rest encryption features, available for the selected Redis cache replication group: 

aws elasticache describe-replication-groups
  --replication-group-id cc-redis-cache-cluster
  --query 'ReplicationGroups[*].[AtRestEncryptionEnabled,TransitEncryptionEnabled] | []'

04 The command output should return the current status for both in-transit encryption and at-rest encryption (true for enabled, false for disabled): 

[
    false,
    false
]

If the configuration status returned by the describe-replication-groups command output is false for both types of encryption, as shown in the output example above, in-transit and at-rest encryption is not enabled for the selected Amazon ElastiCache Redis cache cluster.

05 Repeat steps no. 3 and 4 for each Redis cache cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To enable in-transit and at-rest encryption for your existing Amazon ElastiCache Redis cache clusters, you must re-create them with the appropriate encryption configuration. To re-create a Redis cache cluster, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Enable In-Transit and At-Rest Encryption",
    "Resources": {
        "RedisReplicationGroup": {
            "Type": "AWS::ElastiCache::ReplicationGroup",
            "Properties": {
                "ReplicationGroupId": "cc-encrypted-redis-cache-cluster",
                "ReplicationGroupDescription": "Encrypted Redis Cache Replication Group",
                "Engine": "redis",
                "EngineVersion": "6.2",
                "NumCacheClusters": "2",
                "CacheNodeType": "cache.t2.micro",
                "CacheParameterGroupName": "default.redis6.x",
                "CacheSubnetGroupName": "default",
                "TransitEncryptionEnabled": true,
                "AtRestEncryptionEnabled": true,
                "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
            }
        }
    }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable In-Transit and At-Rest Encryption
Resources:
  RedisReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: cc-encrypted-redis-cache-cluster
      ReplicationGroupDescription: Encrypted Redis Cache Replication Group
      Engine: redis
      EngineVersion: '6.2'
      NumCacheClusters: '2'
      CacheNodeType: cache.t2.micro
      CacheParameterGroupName: default.redis6.x
      CacheSubnetGroupName: default
      TransitEncryptionEnabled: true
      AtRestEncryptionEnabled: true
      KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_elasticache_replication_group" "redis-cache-cluster" {

  replication_group_id        = "cc-encrypted-redis-cache-cluster"
  description                 = "Encrypted Redis Cache Replication Group"
  engine                      = "redis"
  engine_version              = "6.x"
  node_type                   = "cache.t2.micro"
  num_cache_clusters          = 2
  parameter_group_name        = "default.redis6.x"

  # Enable In-Transit and At-Rest Encryption
  transit_encryption_enabled  = true
  at_rest_encryption_enabled  = true
  kms_key_id                  = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis clusters to access the cache clusters created with the Redis cache engine.

04 Click on the name of the Redis cache cluster that you want to re-create and choose Modify.

05 On the Modify <cache-cluster-name> page, copy the configuration information available in the Location, Cluster settings, Subnet group settings, Security, Backup and Maintenance sections. The configuration information copied at this step is required during the new cluster setup.

06 Navigate back to the Redis clusters listing page, choose Create Redis cluster, and perform the following actions:

  1. For Step 1 Cluster settings, choose Configure and create a new cluster, and perform the following:
    • For Cluster mode, choose the cluster mode required for your application.
    • For Cluster info, provide a unique name for the new cache cluster in the Name box.
    • For Location, choose AWS Cloud. Choose whether or not to deploy the new cluster with a multi-az and/or failover configuration.
    • Choose the appropriate Redis engine version from the Engine version dropdown list.
    • Configure the default endpoint port number available in the Port box.
    • Choose the right parameter group from the Parameter groups dropdown list.
    • Select the type of node to be deployed within the new cluster from the Node type dropdown list.
    • Enter the appropriate number of replicas to provision in the Number of replicas box.
    • Choose the subnets that you can designate for your new cluster from the Subnet group settings section.
    • Configure placements for Availability Zones (AZs) in the Availability Zone placements section.
    • Choose Next to continue the setup.
  2. For Step 2 Advanced settings, perform the following:
    • Select Enable under Encryption at rest to enable the encryption of cache data stored on the disk. For Encryption key, choose whether to use the AWS-managed key created for Amazon ElastiCache service or provide your own Amazon KMS Customer Master Key (recommended) to be used as master key. The master key selected at this step will protect the key used to encrypt data at rest for the selected cluster.
    • Select Enable under Encryption in transit to enable the encryption of data that moves between the cache cluster and the client(s). For Access control, configure the access control settings required for authenticating and authorizing access.
    • Choose the security groups that you want to associate with the new cluster from the Selected security groups list. Must match the configuration settings copied at step no. 5
    • Configure automatic backups and select the necessary maintenance window.
    • Specify whether to enable the Redis slow logs and/or engine logs.
    • And set up any required tags sets.
    • Choose Next to continue.
  3. For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch the new Redis cache cluster.

07 (Optional) Once you have replaced the source cluster endpoint within your application code, it's safe to terminate the source cache cluster in order to stop incurring charges for the resource. To remove the source (non-compliant) Redis cluster from your AWS cloud account, perform the following actions:

  1. In the main navigation panel, under Resources, choose Redis clusters.
  2. Select the Redis cache cluster that you want to remove, choose Actions, and select Delete.
  3. In the Delete <cache-cluster>? confirmation box, choose whether to create a final backup for the source cluster, type the name of the non-compliant cluster in the text input field, then choose Delete to confirm the removal.

08 Repeat steps no. 4 – 7 for each Redis cache cluster that you want to re-create, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-replication-groups command (OSX/Linux/UNIX) to describe the configuration information available for the Redis cache cluster (replication group) that you want to reconfigure: 

aws elasticache describe-replication-groups
  --replication-group-id cc-redis-cache-cluster
  --query 'ReplicationGroups'

02 The command output should return the requested cache cluster configuration information. This information will be useful for creating the new Redis cluster: 

[
    {
        "ReplicationGroupId": "cc-redis-cache-cluster",
        "Description": " ",
        "GlobalReplicationGroupInfo": {},
        "Status": "available",
        "PendingModifiedValues": {},
        "MemberClusters": [
            "cc-redis-cache-cluster-001",
            "cc-redis-cache-cluster-002"
        ],
        "NodeGroups": [
            {
                "NodeGroupId": "0001",
                "Status": "available",
                "PrimaryEndpoint": {
                    "Address": "cc-redis-cache-cluster.abcabc.ng.0001.use1.cache.amazonaws.com",
                    "Port": 6379
                },
                "ReaderEndpoint": {
                    "Address": "cc-redis-cache-cluster-ro.abcabc.ng.0001.use1.cache.amazonaws.com",
                    "Port": 6379
                },
                "NodeGroupMembers": [
                    {
                        "CacheClusterId": "cc-redis-cache-cluster-001",
                        "CacheNodeId": "0001",
                        "ReadEndpoint": {
                            "Address": "cc-redis-cache-cluster-001.abcabc.0001.use1.cache.amazonaws.com",
                            "Port": 6379
                        },
                        "PreferredAvailabilityZone": "us-east-1d",
                        "CurrentRole": "primary"
                    },
                    {
                        "CacheClusterId": "cc-redis-cache-cluster-002",
                        "CacheNodeId": "0001",
                        "ReadEndpoint": {
                            "Address": "cc-redis-cache-cluster-002.abcabc.0001.use1.cache.amazonaws.com",
                            "Port": 6379
                        },
                        "PreferredAvailabilityZone": "us-east-1c",
                        "CurrentRole": "replica"
                    }
                ]
            }
        ],
        "AutomaticFailover": "disabled",
        "MultiAZ": "disabled",
        "SnapshotRetentionLimit": 0,
        "SnapshotWindow": "05:00-06:00",
        "ClusterEnabled": false,
        "CacheNodeType": "cache.t2.micro",
        "AuthTokenEnabled": false,
        "TransitEncryptionEnabled": false,
        "AtRestEncryptionEnabled": false,
        "ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-redis-cache-cluster",
        "LogDeliveryConfigurations": [],
        "ReplicationGroupCreateTime": "2022-05-13T06:39:20.168000+00:00",
        "DataTiering": "disabled"
    }
]

03 Re-create the source Amazon ElastiCache Redis cache cluster (replication group) with the create-replication-group command (OSX/Linux/UNIX), using the cluster configuration information returned at the previous step and the --transit-encryption-enabled and --at-rest-encryption-enabled command parameters to enable in-transit and at-rest encryption for the new Redis cache cluster. To use your own Amazon KMS Customer Master Key (CMK) for encryption at rest, include the --kms-key-id parameter in the command request: 

aws elasticache create-replication-group
  --region us-east-1
  --replication-group-id "cc-encrypted-redis-cache-cluster"
  --replication-group-description "Encrypted Redis Cache Replication Group" --engine "redis"
  --num-cache-clusters 2
  --cache-node-type "cache.t2.micro"
  --transit-encryption-enabled
  --at-rest-encryption-enabled
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

04 The command output should return the metadata available for the new Redis cache cluster: 

{
    "ReplicationGroup": {
        "ReplicationGroupId": "cc-encrypted-redis-cache-cluster",
        "Description": "Encrypted Redis Cache Replication Group",
        "GlobalReplicationGroupInfo": {},
        "Status": "creating",
        "PendingModifiedValues": {},
        "MemberClusters": [
            "cc-encrypted-redis-cache-cluster-001",
            "cc-encrypted-redis-cache-cluster-002"
        ],
        "AutomaticFailover": "disabled",
        "MultiAZ": "disabled",
        "SnapshotRetentionLimit": 0,
        "SnapshotWindow": "04:00-05:00",
        "ClusterEnabled": false,
        "CacheNodeType": "cache.t2.micro",
        "TransitEncryptionEnabled": true,
        "AtRestEncryptionEnabled": true,
        "ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-encrypted-redis-cache-cluster",
        "LogDeliveryConfigurations": [],
        "ReplicationGroupCreateTime": "2022-05-17T11:40:46.317000+00:00",
        "DataTiering": "disabled"
    }
}

05 Once you have replaced the source cluster endpoint within your application code, it's safe to terminate the source cache cluster in order to stop incurring charges for the AWS resource. To remove the source (non-compliant) Redis cluster from your AWS account, run delete-replication-group command (OSX/Linux/UNIX): 

aws elasticache delete-replication-group
  --region us-east-1
  --replication-group-id cc-redis-cache-cluster

06 The output should return the delete-replication-group command request metadata: 

{
    "ReplicationGroup": {
        "ReplicationGroupId": "cc-redis-cache-cluster",
        "Description": " ",
        "GlobalReplicationGroupInfo": {},
        "Status": "deleting",
        "PendingModifiedValues": {},
        "AutomaticFailover": "disabled",
        "MultiAZ": "disabled",
        "SnapshotRetentionLimit": 0,
        "SnapshotWindow": "05:00-06:00",
        "TransitEncryptionEnabled": false,
        "AtRestEncryptionEnabled": false,
        "ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-redis-cache-cluster",
        "LogDeliveryConfigurations": [],
        "ReplicationGroupCreateTime": "2022-05-13T06:39:20.168000+00:00",
        "DataTiering": "disabled"
    }
}

07 Repeat steps no. 1 – 6 for each Redis cache cluster that you want to re-create, available in the selected AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Remediation process for other regions.

References

Publication date Dec 16, 2017

Related ElastiCache rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

ElastiCache Redis In-Transit and At-Rest Encryption

Risk Level: High