Enable In-Transit Encryption for Redis Cache Servers

More Info:

Ensure that in-transit encryption is enabled for all Microsoft Azure Redis Cache servers.

Risk Level

High

Address

Security

Compliance Standards

ISO27001, HIPAA, SOC2, GDPR, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To enable In-Transit Encryption for Redis Cache Servers in AZURE using AZURE CLI, follow these steps:

Open the Azure CLI on your local machine or Azure Cloud Shell.
Login to your Azure account using the command:
```
az login
```
Select the subscription you want to work with using the command:
```
az account set --subscription <subscription_id>
```
Check the current encryption status of your Redis Cache Server using the command:
```
az redis show --name <redis_server_name> --resource-group <resource_group_name> --query 'enableNonSslPort'
```
If the output is “true”, it means that In-Transit Encryption is not enabled.
Enable In-Transit Encryption for Redis Cache Server using the command:
```
az redis update --name <redis_server_name> --resource-group <resource_group_name> --enable-non-ssl-port false
```
This will disable non-SSL port and enable In-Transit Encryption for Redis Cache Server.
Verify the encryption status again using the command:
```
az redis show --name <redis_server_name> --resource-group <resource_group_name> --query 'enableNonSslPort'
```
The output should be “false”, indicating that In-Transit Encryption is now enabled for Redis Cache Server.

That’s it! You have successfully remediated the misconfiguration by enabling In-Transit Encryption for Redis Cache Server in AZURE using AZURE CLI.

Using Python

To enable in-transit encryption for Redis Cache servers in AZURE using Python, you can follow the below steps:

Import the required libraries:

from azure.identity import DefaultAzureCredential
from azure.mgmt.redis import RedisManagementClient
from azure.mgmt.redis.models import RedisAccessKeys, RedisUpdateParameters

Authenticate and create a Redis Cache Management Client:

credential = DefaultAzureCredential()
redis_client = RedisManagementClient(credential, subscription_id)

Get the Redis Cache instance:

redis_instance = redis_client.redis.get(resource_group_name, redis_cache_name)

Update the Redis Cache instance to enable in-transit encryption:

redis_instance.enable_non_ssl_port = False
redis_instance.minimum_tls_version = '1.2'
redis_instance.tls_port = 6380
redis_instance.redis_configuration['requirepass'] = 'your_redis_password'
redis_update_params = RedisUpdateParameters(enable_non_ssl_port=False, minimum_tls_version='1.2', tls_port=6380, redis_configuration={'requirepass': 'your_redis_password'})
redis_client.redis.update(resource_group_name, redis_cache_name, redis_update_params)

Note: Replace subscription_id, resource_group_name, redis_cache_name, and your_redis_password with the actual values.This will enable in-transit encryption for the Redis Cache instance in AZURE.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Enable In-Transit Encryption for Redis Cache Servers

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation