Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token

ID

elasticache_replication_group_encryption_auth_token

Severity

high

Vendor

AWS

Resource

ElastiCache

Tags

reachable

Description

Amazon ElastiCache is a web service that makes it easy to set up, manage, and scale a distributed in-memory data store or cache environment in the cloud. It provides a high-performance, scalable, and cost-effective caching solution. At the same time, it helps remove the complexity associated with deploying and managing a distributed cache environment.

To help keep your data secure, Amazon ElastiCache and Amazon EC2 provide mechanisms to guard against unauthorized access of your data on the server. By providing in-transit encryption capability, ElastiCache gives you a tool you can use to help protect your data when it is moving from one location to another.

Redis authentication provides an additional layer of authentication by requiring users to enter a password prior to being granted permission to execute Redis commands on a password-protected server. Thus, it’s recommended that all data stored in the ElastiCache Replication Group is securely encrypted in-transit with an authentication token.

Examples

CloudFormation

{
  "Resources": {
    "MyReplicationGroup": {
      "Type": "AWS::ElastiCache::ReplicationGroup",
      "Properties": {
        "TransitEncryptionEnabled": true (1)
      }
    }
  }
}
1 TransitEncryptionEnabled enabled but AuthToken is not provided. 
Resources:
  MyReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      TransitEncryptionEnabled: True (1)
1 TransitEncryptionEnabled enabled but AuthToken is not provided.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MyReplicationGroup": {
      "Type": "AWS::ElastiCache::ReplicationGroup",
      "Properties": {
        "TransitEncryptionEnabled": true (1)
        "AuthToken": "MySecret!AuthToken$" (2)
      }
    }
  }
}
1 TransitEncryptionEnabled enabled and <2> AuthToken provided. 
Resources:
  MyReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      TransitEncryptionEnabled: True (1)
      AuthToken: 'MySecret!AuthToken$' (2)
1 TransitEncryptionEnabled enabled and <2> AuthToken provided.

Runtime

CLI Command

aws elasticache modify-replication-group --replication-group-id <replication-group-id> --auth-token <auth-token> --auth-token-update-strategy ROTATE --apply-immediately