Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Redis In-Transit and At-Rest Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EC-014

Ensure that your Amazon ElastiCache Redis cache clusters are encrypted in order to meet security and compliance requirements. Encryption helps prevent unauthorized users from reading sensitive data available on your Redis cache clusters and their associated cache storage systems. This includes data saved to persistent media, known as data at-rest, and data that can be intercepted as it travels through the network, between clients and cache servers, known as data in-transit.

This rule can help you with the following compliance standards:

  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When working with production and confidential data it is strongly recommended to implement encryption in order to protect your data from unauthorized access and fulfill compliance requirements for data-at-rest and in-transit encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used in Financial Services, Healthcare, and Telecommunications sectors.


Audit

To determine if in-transit and at-rest encryption is enabled for your ElastiCache Redis cache clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.

04 Click on the name (link) of the Redis cache cluster that you want to examine.

05 In the Cluster details section, check the configuration status for both Encryption at rest and Encryption in transit cluster attributes. If both Encryption at rest and Encryption in transit attributes are set to Disabled, in-transit and at-rest encryption is disabled for the selected Amazon ElastiCache Redis cache cluster.

06 Repeat steps no. 4 – 6 for each Redis cache cluster provisioned within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-replication-groups command (OSX/Linux/UNIX) with custom query filters to list the identifier of each Redis cache replication group available in the selected AWS region:

aws elasticache describe-replication-groups
  --region us-east-1
  --output table
  --query 'ReplicationGroups[*].ReplicationGroupId'

02 The command output should return a table with the requested resource names:

-----------------------------------
|    DescribeReplicationGroups    |
+---------------------------------+
|  cc-production-redis-cluster    |
|  cc-web-platform-cache-cluster  |
+---------------------------------+

03 Run describe-replication-groups command (OSX/Linux/UNIX) with custom output filters to describe the configuration status for both in-transit and at-rest encryption features, available for the specified Redis replication group:

aws elasticache describe-replication-groups
  --region us-east-1
  --replication-group-id cc-production-redis-cluster
  --query 'ReplicationGroups[*].[AtRestEncryptionEnabled,TransitEncryptionEnabled] | []'

04 The command output should return the configuration status for both in-transit encryption and at-rest encryption features (true for enabled, false for disabled):

[
	false,
	false
]

If the configuration status returned by the describe-replication-groups command output is false for both types of encryption, as shown in the output example above, in-transit and at-rest encryption is disabled for the selected Amazon ElastiCache Redis cache cluster.

05 Repeat steps no. 3 and 4 for each Redis cache cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To enable in-transit and at-rest encryption for your existing Amazon ElastiCache Redis cache clusters, you must re-create them with the appropriate encryption configuration. To re-create a Redis cache cluster, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable In-Transit and At-Rest Encryption",
	"Resources": {
		"RedisReplicationGroup": {
			"Type": "AWS::ElastiCache::ReplicationGroup",
			"Properties": {
				"ReplicationGroupId": "cc-encrypted-redis-cache-cluster",
				"ReplicationGroupDescription": "Encrypted Redis Cache Replication Group",
				"Engine": "redis",
				"EngineVersion": "6.2",
				"NumCacheClusters": "2",
				"CacheNodeType": "cache.t2.micro",
				"CacheParameterGroupName": "default.redis6.x",
				"CacheSubnetGroupName": "default",
				"TransitEncryptionEnabled": true,
				"AtRestEncryptionEnabled": true,
				"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable In-Transit and At-Rest Encryption
	Resources:
		RedisReplicationGroup:
		Type: AWS::ElastiCache::ReplicationGroup
		Properties:
			ReplicationGroupId: cc-encrypted-redis-cache-cluster
			ReplicationGroupDescription: Encrypted Redis Cache Replication Group
			Engine: redis
			EngineVersion: '6.2'
			NumCacheClusters: '2'
			CacheNodeType: cache.t2.micro
			CacheParameterGroupName: default.redis6.x
			CacheSubnetGroupName: default
			TransitEncryptionEnabled: true
			AtRestEncryptionEnabled: true
			KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
		}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_elasticache_replication_group" "redis-cache-cluster" {

	replication_group_id        = "cc-encrypted-redis-cache-cluster"
	description                 = "Encrypted Redis Cache Replication Group"
	engine                      = "redis"
	engine_version              = "6.x"
	node_type                   = "cache.t2.micro"
	num_cache_clusters          = 2
	parameter_group_name        = "default.redis6.x"

	# Enable In-Transit and At-Rest Encryption
	transit_encryption_enabled  = true
	at_rest_encryption_enabled  = true
	kms_key_id                  = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, select Redis caches, and choose Create Redis cache to create a new Redis cache cluster.

  1. For Step 1 Cluster settings, perform the following actions:
    • For Configuration, set Deployment option to Design your own cache and Creation method to Cluster cache.
    • For Cluster mode, choose the cluster mode required for your application.
    • For Cluster info, provide a unique name for the new cache cluster in the Name box. (Optional) Enter a short description in the Description - optional box.
    • For Location, choose AWS Cloud. Choose whether or not to deploy the new cluster with a multi-AZ and/or failover configuration.
    • For Cluster settings, select the Redis engine version from the Engine version dropdown list, choose the right parameter group from the Parameter groups list, select the appropriate Node type (must match the node type configured for the source cluster), and enter the number of replicas to provision in the Number of replicas box.
    • For Connectivity, choose the IP version(s) that this cluster will support from the Network type dropdown list and select an existing VPC subnet group from the Subnet groups list. To create a new subnet group, choose Create a new subnet group and provide the required VPC information.
    • For Availability Zone placements, you can configure placements for the supported Availability Zones (AZs).
    • Choose Next to continue the setup process.
  2. For Step 2 Advanced settings, perform the following operations:
    • For Security, choose Manage under Selected security groups to select the security groups necessary for controlling network access to your cluster. Check Enable under Encryption at rest and select an encryption key to enable encryption at rest for the new cluster. If you choose Customer managed CMK, select your own Amazon KMS Customer Managed Key (CMK) from the AWS KMS key dropdown list. Check Enable under Encryption in transit to enable encryption in transit for your new cluster. (Optional) For Access control, configure the access control settings required for authenticating and authorizing access.
    • For Backup, check Enable automatic backups to enable automatic backups. Configure the Backup retention period and preferred Backup window.
    • For Maintenance, set Maintenance window, check Enable under Auto upgrade minor versions to enable auto minor version upgrades, and choose an SNS topic for alert notifications from the Topic for Amazon SNS notification list.
    • For Logs, check Enable under Slow logs and Engine logs to enable Redis engine logs and slow logs for teh new cluster. Choose the required Log format and Log destination type for each log type.
    • (Optional) For Tags, you can create tags to search and filter your cache clusters or track your AWS costs.
    • Choose Next to continue the setup.
  3. For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch your new, encrypted Redis cache cluster.

04 (Optional) To optimize your Amazon ElastiCache costs and remove the source (non-compliant) Redis cache cluster from your AWS cloud account, perform the following actions:

  1. In the main navigation panel, under Resources, choose Redis caches.
  2. Select the Redis cache cluster that you want to remove, choose Actions, and select Delete.
  3. In the confirmation box, choose whether to create a final backup for the source cluster, type the name of the selected cluster in the required text box, then choose Delete to confirm the cluster removal.

05 Repeat steps no. 3 and 4 for each Redis cache cluster that you want to relaunch, available within the current AWS region.

06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Re-create your Amazon ElastiCache Redis replication group with the create-replication-groupcommand (OSX/Linux/UNIX), using the --transit-encryption-enabled and --at-rest-encryption-enabled command parameters to enable in-transit and at-rest encryption for the new cache cluster. (Optional) To use your own Amazon KMS Customer Managed Key (CMK) for encryption at rest, include the --kms-key-id parameter in the command request:

aws elasticache create-replication-group
  --region us-east-1
  --replication-group-id "cc-new-production-cache-cluster"
  --replication-group-description "Encrypted Redis Cache Replication Group"
  --engine "redis"
  --num-cache-clusters 2
  --cache-node-type "cache.r4.large"
  --cache-subnet-group-name "cc-redis-cache-sg"
  --transit-encryption-enabled
  --at-rest-encryption-enabled
  --kms-key-id "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

02 The command output should return the information available for the new Redis cache cluster:

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-new-production-cache-cluster",
		"Description": "Encrypted Redis Cache Replication Group",
		"GlobalReplicationGroupInfo": {},
		"Status": "creating",
		"PendingModifiedValues": {},
		"MemberClusters": [
			"cc-new-production-cache-cluster-001",
			"cc-new-production-cache-cluster-002"
		],

		...

		"SnapshotRetentionLimit": 0,
		"SnapshotWindow": "06:00-07:00",
		"ClusterEnabled": false,
		"CacheNodeType": "cache.r4.large",
		"TransitEncryptionEnabled": true,
		"AtRestEncryptionEnabled": true,
		"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-new-production-cache-cluster",
		"LogDeliveryConfigurations": [],
		"DataTiering": "disabled"
	}
}

03 (Optional) To optimize your Amazon ElastiCache costs and remove the source (non-compliant) Redis cache cluster from your AWS cloud account, run delete-replication-group command (OSX/Linux/UNIX):

aws elasticache delete-replication-group
  --region us-east-1
  --replication-group-id cc-production-redis-cluster

04 The output should return the information available for the deleted Redis cache cluster:

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-production-redis-cluster",
		"Description": " ",
		"GlobalReplicationGroupInfo": {},
		"Status": "deleting",
		"PendingModifiedValues": {},
		"AutomaticFailover": "disabled",

		...

		"SnapshotRetentionLimit": 0,
		"SnapshotWindow": "05:00-06:00",
		"TransitEncryptionEnabled": false,
		"AtRestEncryptionEnabled": false,
		"LogDeliveryConfigurations": [],
		"DataTiering": "disabled"
	}
}

05 Repeat steps no. 1 – 4 for each Redis cache cluster that you want to re-create, available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Remediation process for other regions.

References

Publication date Dec 16, 2017