Detections
Analytics

Ensure all data stored is encrypted in-transit and has auth token for authentication for AWS Elasticache Replication Group

HIGH

Description

When creating Redis replication groups in ElastiCache, encryption can be enabled for data in transit. This can help protect sensitive data while it is being transmitted from one system to another. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html

Remediation

To enable authentication on an existing Redis server, call the ModifyReplicationGroup API operation. Call ModifyReplicationGroup with the --auth-token parameter as the new token and the --auth-token-update-strategy with the value ROTATE. After the modification is complete, the cluster supports the AUTH token specified in the auth-token parameter in addition to supporting connecting without authentication. Enabling authentication is only supported on Redis servers with encryption in transit (TLS) enabled.

In Terraform -

  1. In the aws_elasticache_replication_group resource, set the auth_token field to the password you wish to use.
  2. The field transit_encryption_enabled must also be set to true.
  3. Set the apply_immediately field accordingly (Note: setting this to true will trigger a reboot of the server).

References:
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group

Policy Details

Rule Reference ID: AC_AWS_0380
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_elasticache_replication_group
Resource Category: Database
Resource Type: ElastiCache

Frameworks