Ensure AWS ElastiCache Redis cluster with in-transit encryption is enabled

Error: AWS ElastiCache Redis cluster with in-transit encryption is disabled

Bridgecrew Policy ID: BC_AWS_GENERAL_10
Checkov Check ID: CKV_AWS_30
Severity: MEDIUM

AWS ElastiCache Redis cluster with in-transit encryption is disabled

Description

ElastiCache for Redis offers optional encryption in transit. In-transit encryption provides an additional layer of data protection when transferring data over standard HTTPS protocol. In-transit encryption can only be enabled on Redis replication groups at time of their creation.

ElastiCache for Redis in-transit encryption enables the following features:

  • Encrypted connections: server and client connections are Secure Socket Layer (SSL) encrypted.
  • Encrypted replication: data transfer between primary replicas is encrypted.
  • Server authentication.
  • Client authentication.

Fix - Runtime

ElastiCache Console

To create a replication group using the ElastiCache console, make the following selections:

  1. Engine: redis.
  2. Engine version: 3.2.6, 4.0.10 or later.
  3. Encryption in-transit list: Yes.

CLI command

The parameters TransitEncryptionEnabled (CLI: --transit-encryption-enabled) are only available when using the CreateReplicationGroup (CLI: create-replication-group) operation.

aws elasticache create-replication-group ^
   --replication-group-id sample-repl-group ^
   --replication-group-description "Demo cluster with replicas" ^
   --num-cache-clusters 3 ^
   --cache-node-type cache.m4.large ^
   --cache-parameter-group default.redis3.2 ^
   --engine redis ^
   --engine-version 3.2.4
   --transit-encryption-enabled

Fix - Buildtime

Terraform

  • Resource: aws_elasticache_replication_group
  • Argument: transit_encryption_enabled - (Optional) Whether to enable encryption in transit.
resource "aws_elasticache_replication_group" "example"{
  ...
  replication_group_id          = "default-1"
+ transit_encryption_enabled    = true
  ...
}

CloudFormation

  • Resource: AWS::ElastiCache::ReplicationGroup
  • Argument: Properties.TransitEncryptionEnabled - (Optional) Whether to enable encryption in transit.
Resources:
	ReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      ...
+     TransitEncryptionEnabled: True