More Info:

Ensure that your AWS ElastiCache Redis clusters are encrypted in order to meet security and compliance requirements (keep Personally Identifiable Information safe). Data encryption helps prevent unauthorized users from reading sensitive data available on your Redis clusters and their associated cache storage systems. This includes data saved to persistent media, known as data at-rest, and data that can be intercepted as it travels through the network, between clients and cache servers, known as data in-transit.

Risk Level

High

Address

Security

Compliance Standards

HIPAA,GDPR,NIST,SOC2,NISTCSF,PICDSS

Remediation

How to encrypt elastic cache at rest and in transit.

Using AWS Console

Encrypting ElastiCache at Rest:
  1. Log in to the AWS Management Console using your AWS account credentials.
  2. Navigate to the ElastiCache service by selecting “ElastiCache” from the services menu.
  3. In the ElastiCache dashboard, select the cache cluster for which you want to enable encryption. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “Elasticcache should be encrypted at rest and in transit” Policy.)
  4. Click on the “Actions” button and select “Modify” from the dropdown menu.
  5. In the Modify cluster settings page, scroll down to the “Encryption at Rest” section.
  6. Choose the encryption option that suits your requirements. You have two options:
    • AWS Managed Keys (AWS KMS): Select “Enable” and choose the appropriate AWS Key Management Service (KMS) key from the dropdown menu.
    • Customer Managed Keys (CMKs): Select “Enable” and provide the ARN of the customer managed key you want to use.
  7. Review the other configuration settings as needed and click on the “Modify” button.
  8. AWS will apply the encryption changes to the ElastiCache cluster, which may take a few minutes to complete.
  9. Once the encryption is successfully applied, your ElastiCache data will be encrypted at rest.
Encrypting ElastiCache in Transit:
  1. Ensure that your ElastiCache cluster is deployed in a Virtual Private Cloud (VPC). If not, create a VPC and deploy your ElastiCache cluster within it.
  2. In the AWS Management Console, navigate to the VPC service by selecting “VPC” from the services menu.
  3. In the VPC dashboard, select “Security Groups” from the left navigation pane.
  4. Locate the security group associated with your ElastiCache cluster.
  5. Click on the security group, and in the “Inbound Rules” tab, add a new rule to allow incoming traffic on the desired port(s) for ElastiCache (e.g., port 6379 for Redis).
  6. Ensure that the source IP or CIDR range specified in the rule is limited to the trusted clients or applications that need access to the ElastiCache cluster.
  7. Click on “Save Rules” to apply the security group changes.
  8. By allowing access only from trusted sources, you ensure that the traffic to and from your ElastiCache cluster is encrypted in transit.