ElastiCache transport encryption should be enabled¶
In-transit encryption should be enabled for ElastiCache replication groups. Encryption protects data from unauthorized access when it is moved from one location to another, such as from a primary node to a read replica mode in a replication group or between a replication group and application.
Console Remediation Steps¶
Navigate to ElastiCachere.
In the left navigation, select Redis.
Create a manual backup of the replication group.
Create a new replication group by restoring from the backup setting the engine version to 3.2.6, 4.0.10 and later, and the parameter TransitEncryptionEnabled to true. Refer to Restoring From a Backup with Optional Cluster Resizing for more information.
Update the endpoints in your application to the new replication group’s endpoints. Refer to Finding Connection Endpoints for more information.
Delete the old replication group.
CLI Remediation Steps¶
–engine—Must be redis.
–engine-version—Must be 3.2.6, 4.0.10 or later.
Encryption settings cannot be modified once created. Create a new replication group with transit encryption enabled to be used from scratch or seed the new group with a backup from an existing group.
Create a backup of an existing cluster (if applicable). Note you will use
cache-cluster-iddepending on your setup. You may skip this step if your existing cluster has automatic backups enabled. Locate the latest backup’s name to use for seeding your new cluster.
aws elasticache create-snapshot --snapshot-name <snapshot-name> --replication-group-id <existing-replication-group-id>
Create a new replication group, specifying the snapshot name if you created a backup in the first step. Note we are also creating two replicas and enabling automatic failover. Adjust these settings backed on your setup and requirements.
aws elasticache create-replication-group --replication-group-id <new-replication-group-id> --replication-group-description <description> --engine redis --engine-version <minimum-3.2.6-or-4.0.10> --cache-node-type <node-instance-type> --transit-encryption-enabled --snapshot-name <snapshot-name> --replicas-per-node-group <replicas> --automatic-failover-enabled