More Info:

Ensure that in-transit encryption is enabled for all Microsoft Azure Redis Cache servers.

Risk Level

High

Address

Security

Compliance Standards

ISO27001, HIPAA, SOC2, GDPR, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration of enabling in-transit encryption for Redis Cache Servers in Azure:
  1. Login to your Azure portal and navigate to the Redis Cache Server that needs to be remediated.
  2. Click on the “Configuration” tab from the left-hand side menu.
  3. Scroll down to the “Security” section and click on the “Edit” button.
  4. Under the “Transport Security Settings” section, select the “Enable SSL” option.
  5. Click on the “Save” button to save the changes.
  6. Once the changes are saved, the Redis Cache Server will be configured to use in-transit encryption using SSL.
  7. Verify the changes by connecting to the Redis Cache Server using a Redis client and checking if the connection is encrypted using SSL.
That’s it! You have successfully remediated the misconfiguration of enabling in-transit encryption for Redis Cache Servers in Azure using the Azure console.

To enable In-Transit Encryption for Redis Cache Servers in AZURE using AZURE CLI, follow these steps:
  1. Open the Azure CLI on your local machine or Azure Cloud Shell.
  2. Login to your Azure account using the command: 
    az login
  3. Select the subscription you want to work with using the command: 
    az account set --subscription <subscription_id>
  4. Check the current encryption status of your Redis Cache Server using the command: 
    az redis show --name <redis_server_name> --resource-group <resource_group_name> --query 'enableNonSslPort'
    If the output is “true”, it means that In-Transit Encryption is not enabled.
  5. Enable In-Transit Encryption for Redis Cache Server using the command: 
    az redis update --name <redis_server_name> --resource-group <resource_group_name> --enable-non-ssl-port false
    This will disable non-SSL port and enable In-Transit Encryption for Redis Cache Server.
  6. Verify the encryption status again using the command: 
    az redis show --name <redis_server_name> --resource-group <resource_group_name> --query 'enableNonSslPort'
    The output should be “false”, indicating that In-Transit Encryption is now enabled for Redis Cache Server.
That’s it! You have successfully remediated the misconfiguration by enabling In-Transit Encryption for Redis Cache Server in AZURE using AZURE CLI.
To enable in-transit encryption for Redis Cache servers in AZURE using Python, you can follow the below steps:
  1. Import the required libraries:
from azure.identity import DefaultAzureCredential
from azure.mgmt.redis import RedisManagementClient
from azure.mgmt.redis.models import RedisAccessKeys, RedisUpdateParameters
  1. Authenticate and create a Redis Cache Management Client:
credential = DefaultAzureCredential()
redis_client = RedisManagementClient(credential, subscription_id)
  1. Get the Redis Cache instance:
redis_instance = redis_client.redis.get(resource_group_name, redis_cache_name)
  1. Update the Redis Cache instance to enable in-transit encryption:
redis_instance.enable_non_ssl_port = False
redis_instance.minimum_tls_version = '1.2'
redis_instance.tls_port = 6380
redis_instance.redis_configuration['requirepass'] = 'your_redis_password'
redis_update_params = RedisUpdateParameters(enable_non_ssl_port=False, minimum_tls_version='1.2', tls_port=6380, redis_configuration={'requirepass': 'your_redis_password'})
redis_client.redis.update(resource_group_name, redis_cache_name, redis_update_params)
Note: Replace subscription_id, resource_group_name, redis_cache_name, and your_redis_password with the actual values.This will enable in-transit encryption for the Redis Cache instance in AZURE.