Ensure AWS ElastiCache Redis clusters have in-transit encryption enabled

In order to protect sensitive data, AWS ElastiCache Redis clusters should be encrypted in transit. Encryption of data in transit protects data from unauthorized access as it travels through the network, between clients and cache servers.

Risk Level: High
Cloud Entity: Amazon ElastiCache
CloudGuard Rule ID: D9.AWS.CRY.32
Covered by Spectral: Yes
Category: Database

GSL LOGIC

ElastiCache where engine='redis' should have transitEncryptionEnabled=true

REMEDIATION

From Portal
AWS ElastiCache Redis cluster in-transit encryption can only be set when the cluster is created. To resolve this issue, create a new cluster with in-transit encryption enabled, migrate all required ElastiCache Redis cluster data from the unencrypted cluster, then delete it

To create new ElastiCache Redis cluster with In-transit encryption set, perform the following:

  1. Sign in to the AWS console
  2. In the console, select the specific region
  3. Navigate to ElastiCache Dashboard
  4. Click Redis clusters
  5. Click 'Create redis cluster' button
  6. On the 'Create your Amazon ElastiCache cluster' page,
    a. Select 'Redis' cache engine type.
    b. Enter a name for the new cache cluster
    c. Select Redis engine version from 'Engine version compatibility' dropdown list.
    Note: As of July 2018, In-transit encryption can be enabled only for AWS ElastiCache clusters with Redis engine version 3.2.6 and 4.0.10.
    d. Click 'Advanced Redis settings' to expand the cluster advanced settings panel
    e. Select 'Encryption in-transit' checkbox to enable encryption along with other necessary parameters
  7. Click 'Create' button to launch your new ElastiCache Redis cluster

To delete reported ElastiCache Redis cluster, perform the following:

  1. Sign in to the AWS console
  2. In the console, select the specific region
  3. Navigate to ElastiCache Dashboard
  4. Click Redis
  5. Select the reported Redis cluster
  6. Click 'Delete' button
  7. In the 'Delete Cluster' dialog box, if you want a backup for your cluster select 'Yes' from the 'Create final backup' dropdown menu, provide a name for the cluster backup, then click 'Delete'.

From TF

resource "aws_elasticache_replication_group" "example"{
	...
	replication_group_id          = "default-1"
	+ transit_encryption_enabled    = true
	...
}

From Command Line

aws elasticache create-replication-group --region VALUE --replication-group-id GROUP_ID --replication-group-description GROUP_DESCRIPTION --num-cache-clusters VALUE --cache-node-type VALUE --engine Redis --engine-version VALUE --security-group-ids SG_ID --automatic-failover-enabled --transit-encryption-enabled

References

  1. https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-replication-group.html

Amazon ElastiCache

Amazon ElastiCache offers fully managed Redis and Memcached. Seamlessly deploy, operate, and scale popular open source compatible in-memory data stores. Build data-intensive apps or improve the performance of your existing apps by retrieving data from high throughput and low latency in-memory data stores. Amazon ElastiCache is a popular choice for Gaming, Ad-Tech, Financial Services, Healthcare, and IoT apps.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset