ElastiCache transport encryption should be enabled


In-transit encryption should be enabled for ElastiCache replication groups. Encryption protects data from unauthorized access when it is moved from one location to another, such as from a primary node to a read replica mode in a replication group or between a replication group and application.

Remediation Steps

AWS Console


  • Prerequisites:

    • --engine Must be redis.

    • --engine-version Must be 3.2.6, 4.0.10 or later.

  • Encryption settings cannot be modified once created. Create a new replication group with transit encryption enabled to be used from scratch or seed the new group with a backup from an existing group.

  • Create a backup of an existing cluster (if applicable). Note you will use replication-group-id or cache-cluster-id depending on your setup. You may skip this step if your existing cluster has automatic backups enabled. Locate the latest backup’s name to use for seeding your new cluster.

    • aws elasticache create-snapshot --snapshot-name <snapshot-name> --replication-group-id <existing-replication-group-id>

  • Create a new replication group, specifying the snapshot name if you created a backup in the first step. Note we are also creating two replicas and enabling automatic failover. Adjust these settings backed on your setup and requirements.

    • aws elasticache create-replication-group --replication-group-id <new-replication-group-id> --replication-group-description <description> --engine redis --engine-version <minimum-3.2.6-or-4.0.10> --cache-node-type <node-instance-type> --transit-encryption-enabled --snapshot-name <snapshot-name> --replicas-per-node-group <replicas> --automatic-failover-enabled


Example Configuration

resource "aws_elasticache_replication_group" "example" {
  transit_encryption_enabled = true
  # other required fields here