More Info:
This rule checks whether Amazon ElastiCache replication groups have Redis AUTH enabled. Redis AUTH provides authentication and access control mechanisms to secure ElastiCache clusters. The rule is marked as non-compliant for an ElastiCache replication group if the Redis version of its nodes is below 6 (since Version 6+ uses Redis ACLs) and the ‘AuthToken’ parameter is missing or is empty/null.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of “Auth Should Be Enabled ElastiCache Replication Groups” for AWS ElasticSearch using the AWS console, follow these steps:
- Login to AWS Console: Go to the AWS Management Console and login to your AWS account.
- Navigate to Amazon Elasticsearch Service: From the AWS Management Console, navigate to the Amazon Elasticsearch Service by typing “Elasticsearch” in the search bar and selecting the Elasticsearch service.
- Select the Elasticsearch Domain: Select the Elasticsearch domain for which you want to enable authentication.
- Click on the “Modify” Button: Click on the “Modify” button at the top of the Elasticsearch domain dashboard.
- Scroll down to the “Advanced security options” Section: Scroll down the page to find the “Advanced security options” section.
- Enable Auth: Under the “Advanced security options” section, you will find the “Require HTTPS” and “Enable Auth” options. Check the “Enable Auth” checkbox to enable authentication for the Elasticsearch domain.
- Configure Auth Settings: Configure the authentication settings as per your requirements. You can choose to use AWS Identity and Access Management (IAM) roles or configure a custom authentication mechanism.
- Save Changes: Once you have configured the authentication settings, scroll to the bottom of the page and click on the “Submit” button to save the changes.
- Monitor the Status: The modification process may take some time to complete. Monitor the status of the modification from the Elasticsearch domain dashboard.
- Verify Authentication: Once the modification is complete, verify that authentication is enabled for the Elasticsearch domain by trying to access the domain and providing the necessary credentials.
Using CLI
Using CLI
To remediate the misconfiguration of Auth not being enabled in ElastiCache replication groups for AWS ElasticSearch using AWS CLI, you can follow these steps:Replace Replace
- Open your terminal or command prompt.
- Use the following AWS CLI command to enable Auth for your ElastiCache replication group:
<your-replication-group-id> with the actual ID of your ElastiCache replication group.- Verify the changes by describing the replication group using the following command:
<your-replication-group-id> with the actual ID of your ElastiCache replication group.- Check the output to ensure that Auth is now enabled for your ElastiCache replication group.
Using Python
Using Python
To remediate the misconfiguration of enabling Auth for ElastiCache Replication Groups in AWS, you can use the AWS Boto3 Python SDK to interact with the AWS API. Here are the step-by-step instructions to enable Auth for ElastiCache Replication Groups in AWS using Python:
- Install the Boto3 library if you haven’t already:
- Create a Python script with the following code snippet to enable Auth for ElastiCache Replication Groups:
-
Replace
'your_replication_group_id'with the actual Replication Group Id for which you want to enable Auth. -
Replace
'your_auth_token'with your desired Auth Token. Make sure to keep this token secure as it will be used for authentication. - Run the Python script. This will enable Auth for the specified ElastiCache Replication Group in AWS.