ElastiCache transport encryption should be enabled¶
Description¶
In-transit encryption should be enabled for ElastiCache replication groups. Encryption protects data from unauthorized access when it is moved from one location to another, such as from a primary node to a read replica mode in a replication group or between a replication group and application.
Remediation Steps¶
AWS Console¶
Navigate to ElastiCache.
In the left navigation, select Redis.
Create a manual backup of the replication group.
Create a new replication group by restoring from the backup setting the engine version to 3.2.6, 4.0.10 and later, and the parameter TransitEncryptionEnabled to true. Refer to Restoring From a Backup with Optional Cluster Resizing for more information.
Update the endpoints in your application to the new replication group’s endpoints. Refer to Finding Connection Endpoints for more information.
Delete the old replication group.
AWS CLI¶
Prerequisites:
--engine
Must be redis.--engine-version
Must be 3.2.6, 4.0.10 or later.
Encryption settings cannot be modified once created. Create a new replication group with transit encryption enabled to be used from scratch or seed the new group with a backup from an existing group.
Create a backup of an existing cluster (if applicable). Note you will use
replication-group-id
orcache-cluster-id
depending on your setup. You may skip this step if your existing cluster has automatic backups enabled. Locate the latest backup’s name to use for seeding your new cluster.aws elasticache create-snapshot --snapshot-name <snapshot-name> --replication-group-id <existing-replication-group-id>
Create a new replication group, specifying the snapshot name if you created a backup in the first step. Note we are also creating two replicas and enabling automatic failover. Adjust these settings backed on your setup and requirements.
aws elasticache create-replication-group --replication-group-id <new-replication-group-id> --replication-group-description <description> --engine redis --engine-version <minimum-3.2.6-or-4.0.10> --cache-node-type <node-instance-type> --transit-encryption-enabled --snapshot-name <snapshot-name> --replicas-per-node-group <replicas> --automatic-failover-enabled
CloudFormation¶
JSON¶
Ensure that AWS::ElastiCache::ReplicationGroup
TransitEncryptionEnabled
field is set to “true”.
{
"Properties" : {
"TransitEncryptionEnabled" : true,
}
}
JSON Example Configuration¶
{
"Type" : "AWS::ElastiCache::ReplicationGroup",
"Properties" : {
"TransitEncryptionEnabled" : true,
}
# other required fields
}
YAML¶
Ensure that AWS::ElastiCache::ReplicationGroup
TransitEncryptionEnabled
field is set to “true”.
Properties:
TransitEncryptionEnabled: true
YAML Example Configuration¶
Type: AWS::ElastiCache::ReplicationGroup
Properties:
TransitEncryptionEnabled: true
# other required fields
Terraform¶
Ensure that the aws_elasticache_replication_group
transit_encryption_enabled
field is set to “true”.
Example Configuration¶
resource "aws_elasticache_replication_group" "example" {
transit_encryption_enabled = true
# other required fields here
}