Risk Level: High
Cloud Entity: Amazon ElastiCache
CloudGuard Rule ID: D9.AWS.CRY.32
Covered by Spectral: Yes
Category: Database

GSL LOGIC

ElastiCache where engine='redis' should have transitEncryptionEnabled=true

REMEDIATION

From Portal
AWS ElastiCache Redis cluster in-transit encryption can only be set when the cluster is created. To resolve this issue, create a new cluster with in-transit encryption enabled, migrate all required ElastiCache Redis cluster data from the unencrypted cluster, then delete it

To create new ElastiCache Redis cluster with In-transit encryption set, perform the following:

Sign in to the AWS console
In the console, select the specific region
Navigate to ElastiCache Dashboard
Click Redis clusters
Click 'Create redis cluster' button
On the 'Create your Amazon ElastiCache cluster' page,
a. Select 'Redis' cache engine type.
b. Enter a name for the new cache cluster
c. Select Redis engine version from 'Engine version compatibility' dropdown list.
Note: As of July 2018, In-transit encryption can be enabled only for AWS ElastiCache clusters with Redis engine version 3.2.6 and 4.0.10.
d. Click 'Advanced Redis settings' to expand the cluster advanced settings panel
e. Select 'Encryption in-transit' checkbox to enable encryption along with other necessary parameters
Click 'Create' button to launch your new ElastiCache Redis cluster

To delete reported ElastiCache Redis cluster, perform the following:

Sign in to the AWS console
In the console, select the specific region
Navigate to ElastiCache Dashboard
Click Redis
Select the reported Redis cluster
Click 'Delete' button
In the 'Delete Cluster' dialog box, if you want a backup for your cluster select 'Yes' from the 'Create final backup' dropdown menu, provide a name for the cluster backup, then click 'Delete'.

From TF

resource "aws_elasticache_replication_group" "example"{
	...
	replication_group_id          = "default-1"
	+ transit_encryption_enabled    = true
	...
}

From Command Line

aws elasticache create-replication-group --region VALUE --replication-group-id GROUP_ID --replication-group-description GROUP_DESCRIPTION --num-cache-clusters VALUE --cache-node-type VALUE --engine Redis --engine-version VALUE --security-group-ids SG_ID --automatic-failover-enabled --transit-encryption-enabled

References

Amazon ElastiCache

Amazon ElastiCache offers fully managed Redis and Memcached. Seamlessly deploy, operate, and scale popular open source compatible in-memory data stores. Build data-intensive apps or improve the performance of your existing apps by retrieving data from high throughput and low latency in-memory data stores. Amazon ElastiCache is a popular choice for Gaming, Ad-Tech, Financial Services, Healthcare, and IoT apps.

Compliance Frameworks

AWS CIS Controls V 8
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset