Detections
Analytics

Ensure in-transit encryption is enabled for Azure Redis Cache

MEDIUM

Description

Azure Redis Cache enables encryption using TLS by default, however this can be disabled. It is recommended to leave it configured as well as configure it to use TLS 1.2 as the industry standard. For more information, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Azure Cache for Redis.
  2. Select the Redis Cache you wish to edit.
  3. Under Settings, select Advanced Settings.
  4. Set Allow access only via SSL to Yes.
  5. Ensure Non-SSL Port gets set to Disabled when changing the prior setting.
  6. Set Minimum TLS version to 1.2.
  7. Save.

In Terraform -

  1. In the azurerm_redis_cache resource, set enable_non_ssl_port to false.
  2. Set minimum_tls_version to 1.2.

References:
https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache#enable_non_ssl_port

Policy Details

Rule Reference ID: AC_AZURE_0201
CSP: Azure
Remediation Available: Yes
Domain: Infrastructure Security
Resource: azurerm_redis_cache
Resource Category: Database
Resource Type: Redis

Frameworks