Ensure AWS ElastiCache Redis cluster with encryption for data at rest is enabled

Error: AWS ElastiCache Redis cluster with encryption for data at rest is disabled

Bridgecrew Policy ID: BC_AWS_GENERAL_9
Checkov Check ID: CKV_AWS_29
Severity: MEDIUM

AWS ElastiCache Redis cluster with encryption for data at rest is disabled

Description

ElastiCache for Redis offers default encryption at rest as a service, as well as the ability to use your own symmetric customer-managed customer master keys in AWS Key Management Service (KMS).

ElastiCache for Redis at-rest encryption encrypts the following aspects:

  • Disk during sync, backup and swap operations
  • Backups stored in Amazon S3

Fix - Runtime

ElastiCache Console

To create a replication group using the ElastiCache console, make the following selections:

  1. Engine: redis.
  2. Engine version: 3.2.6, 4.0.10 or later.
  3. Encryption at-rest list: Yes.

CLI Command

The following operation creates the Redis (cluster mode disabled) replication group my-classic-rg with three nodes (--num-cache-clusters), a primary and two read replicas. At-rest encryption is enabled for this replication group (--at-rest-encryption-enabled).

aws elasticache create-replication-group \
    --replication-group-id my-classic-rg \
    --replication-group-description "3 node replication group" \
    --cache-node-type cache.m4.large \
    --engine redis \
    --engine-version 4.0.10 \
    --at-rest-encryption-enabled \  
    --num-cache-clusters 3 \
    --cache-parameter-group default.redis4.0

Fix - Buildtime

Terraform

  • Resource: aws_elasticache_replication_group
  • Argument: at_rest_encryption_enabled - (Optional) Whether to enable encryption at rest.
resource "aws_elasticache_replication_group" "default"{
  ...
  replication_group_id          = "default-1"
+ at_rest_encryption_enabled    = true
  ...
}

CloudFormation

  • Resource: AWS::ElastiCache::ReplicationGroup
  • Argument: AtRestEncryptionEnabled
Resources:
	ReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      ...
+     AtRestEncryptionEnabled: True