Amazon_ElastiCache_1

Ensure AWS ElastiCache Redis clusters are encrypted

Description

Data encryption helps prevent unauthorized users from reading sensitive data available on your Redis clusters and their associated cache storage systems. This includes data saved to persistent media, known as data at-rest, and data that can be intercepted as it travels through the network, between clients and cache servers, known as data in-transit.

Remediation

Perform the following steps to enable encryption for your ElastiCache

  1. Sign in to the AWS Management Console.
  2. Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.
  3. In the left navigation panel, under ElastiCache Dashboard, click Redis to access the cache clusters created with the Redis engine.
  4. Choose the cache cluster that you want to re-create and click on the Show/Hide Item Details button to expand the panel with the resource configuration details.
  5. On the cluster details panel, copy the current values set for attributes such as Name, Engine Version Compatibility, Node Type, Number of Nodes/Shards, Multi-AZ, Availability Zones, Security and Parameter Group(s). The configuration information copied is required for the next step (i.e. Redis cache cluster relaunch).
  6. Now its time to re-create the selected Redis cache cluster with a different encryption configuration. To relaunch the necessary cache cluster, perform the following actions:
    1. Click Create button from the dashboard top menu to start the setup process.
    2. On the Create your Amazon ElastiCache cluster page, perform the following actions:
      • Select Redis from the Cluster Engine section to select the required cache engine type.
      • Enter a name for the new cache cluster within Name box.
      • Select 3.2.6 for Redis engine version from Engine Version Compatibility dropdown list.
      • Select both Encryption in-transit and Encryption at-restcheckboxes to enable encryption.
      • Set or paste the configuration attribute values copied at step no. 5 inside the corresponding fields within Redis settings section.
      • Click Advanced Redis settings tab to expand the cluster advanced settings panel then select the same subnet and security group(s) used by the source cache cluster.
      • Click Create to launch your new Amazon ElastiCache Redis cluster. Once the cache cluster has been successfully created, its status should change from creating to available.
  7. Once you have replaced the source cache cluster endpoint (e.g. cc-redis3-cache.aaabbb.0001.cccc.cache.amazonaws.com:6379) with the new cluster endpoint (e.g. cc-new-redis3-cache.aaabbb.0001.cccc.cache.amazonaws.com:3560) within your web application(s) configuration, it is safe to shut down and delete the source cache cluster in order to stop incurring charges for it. To remove the unencrypted ElastiCache cluster from your AWS account, perform the following:
    1. Select the cache cluster that you want to remove and click the Delete button from the dashboard top menu
    2. In the Delete Cluster confirmation box, select Yes from the Create final backup dropdown menu, provide a name for the cluster backup, then click Delete.
  8. Repeat steps no. 4 – 7 to enable in-transit and at-rest encryption for other Amazon ElastiCache Redis clusters provisioned in the current region.
  9. Change the AWS region from the navigation bar and repeat the process for other regions.

Service

ElastiCache

Severity

Medium

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!