AWS ElastiCache Redis cluster with encryption for data at rest is disabled

Description

ElastiCache for Redis offers default encryption at rest as a service, as well as the ability to use your own symmetric customer-managed customer master keys in AWS Key Management Service (KMS).

ElastiCache for Redis at-rest encryption encrypts the following aspects:

  • Disk during sync, backup and swap operations
  • Backups stored in Amazon S3

Fix - Runtime

ElastiCache Console

To create a replication group using the ElastiCache console, make the following selections:

  1. Engine: redis.
  2. Engine version: 3.2.6, 4.0.10 or later.
  3. Encryption at-rest list: Yes.

CLI Command

The following operation creates the Redis (cluster mode disabled) replication group my-classic-rg with three nodes (--num-cache-clusters), a primary and two read replicas. At-rest encryption is enabled for this replication group (--at-rest-encryption-enabled).

aws elasticache create-replication-group \

–replication-group-id my-classic-rg \

–replication-group-description “3 node replication group” \

–cache-node-type cache.m4.large \

–engine redis \

–engine-version 4.0.10 \

–at-rest-encryption-enabled \ –

-num-cache-clusters 3 \

–cache-parameter-group default.redis4.0

Fix - Buildtime

Terraform
  • Resource: aws_elasticache_replication_group
  • Argument: at_rest_encryption_enabled – (Optional) Whether to enable encryption at rest.

resource “aws_elasticache_replication_group” “default”{

replication_group_id = “default-1”

+ at_rest_encryption_enabled = true

}

CloudFormation

  • Resource: AWS::ElastiCache::ReplicationGroup
  • Argument: AtRestEncryptionEnabled

Resources:

ReplicationGroup:

Type: ‘AWS::ElastiCache::ReplicationGroup’

Properties:

+ AtRestEncryptionEnabled: True

ReLambda