Ensure data stored in the ElastiCache Replication Group is securely encrypted in-transit

Error: Data stored in the ElastiCache Replication Group is not securely encrypted in-transit

Bridgecrew Policy ID: BC_AWS_GENERAL_11
Checkov Check ID: CKV_AWS_31
Severity: MEDIUM

Data stored in the ElastiCache Replication Group is not securely encrypted in-transit

Description

In Amazon ElastiCache, the Redis authentication command asks users to enter a password prior to being granted permission to execute Redis commands on a password-protected server. Authentication can only be enabled when you are creating clusters with the in-transit encryption option enabled. When Redis authentication is enabled, users are required to pass through an additional layer of authentication before gaining access to the server and gaining permission to perform actions.
We recommend that all data stored in the ElastiCache Replication Group is securely encrypted in-transit with an authentication token.

Fix - Runtime

Procedure

To authenticate a user using Redis AUTH create a new Redis Cluster with the following parameters enabled:

  • transit-encryption-enabled
  • auth-token.

CLI Command

The following AWS CLI operation modifies a replication group to rotate the AUTH token This-is-the-rotated-token.

aws elasticache modify-replication-group \
--replication-group-id authtestgroup \
--auth-token This-is-the-rotated-token \
--auth-token-update-strategy ROTATE \
--apply-immediately

Fix - Buildtime

Terraform

  • Resource: aws_elasticache_replication_group
  • Argument: auth_token - (Optional) The password used to access a password protected server. Can be specified only if transit_encryption_enabled = true
resource "aws_elasticache_replication_group" "example" {
  ...
  at_rest_encryption_enabled    = true
+ auth_token                    = var.auth_token
+ transit_encryption_enabled    = true
  ...
}

CloudFormation

  • Resource: AWS::ElastiCache::ReplicationGroup
  • Argument: AuthToken - (Optional) The password used to access a password protected server. Can be specified only if TransitEncryptionEnabled = true
Resources:
	ReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
    	...
+     AuthToken: 'MySecret!AuthToken$'
+     TransitEncryptionEnabled: True