ElastiCache transport encryption should be enabled

Description

In-transit encryption should be enabled for ElastiCache replication groups. Encryption protects data from unauthorized access when it is moved from one location to another, such as from a primary node to a read replica mode in a replication group or between a replication group and application.

Console Remediation Steps

CLI Remediation Steps

Prerequisites

  • –engine—Must be redis.

  • –engine-version—Must be 3.2.6, 4.0.10 or later.

  • Encryption settings cannot be modified once created. Create a new replication group with transit encryption enabled to be used from scratch or seed the new group with a backup from an existing group.

  • Create a backup of an existing cluster (if applicable). Note you will use replication-group-id or cache-cluster-id depending on your setup. You may skip this step if your existing cluster has automatic backups enabled. Locate the latest backup’s name to use for seeding your new cluster.

    • aws elasticache create-snapshot --snapshot-name <snapshot-name> --replication-group-id <existing-replication-group-id>

  • Create a new replication group, specifying the snapshot name if you created a backup in the first step. Note we are also creating two replicas and enabling automatic failover. Adjust these settings backed on your setup and requirements.

    • aws elasticache create-replication-group --replication-group-id <new-replication-group-id> --replication-group-description <description> --engine redis --engine-version <minimum-3.2.6-or-4.0.10> --cache-node-type <node-instance-type> --transit-encryption-enabled --snapshot-name <snapshot-name> --replicas-per-node-group <replicas> --automatic-failover-enabled