AWS ElastiCache Redis cluster with encryption for data at rest is disabled

ID

elasticache_no_encryption_at_rest

Severity

high

Vendor

AWS

Resource

ElastiCache

Tags

reachable

Description

Amazon ElastiCache is a managed in-memory caching service.

ElastiCache for Redis offers default encryption at rest as a service, with the ability to use custom symmetric master keys in AWS Key Management Service (KMS).

ElastiCache for Redis at-rest encryption encrypts the following aspects:

  • Disk during sync, backup and swap operations

  • Backups stored in Amazon S3

This detector will report aws_elasticache_replication_group`resources without at-rest encryption enabled (`at_rest_encryption_enabled = true).

Examples

CloudFormation

{
  "Resources": {
    "ReplicationGroup": { (1)
      "Type": "AWS::ElastiCache::ReplicationGroup"
    }
  }
}
1 No AtRestEncryptionEnabled set to true. 
Resources:
  ReplicationGroup: (1)
    Type: 'AWS::ElastiCache::ReplicationGroup'
1 No AtRestEncryptionEnabled set to true.

Terraform

# FLAW, no at_rest_encryption_enabled attribute
resource "aws_elasticache_replication_group" "fail_2" {
  automatic_failover_enabled = true
  availability_zones = ["us-west-2a", "us-west-2b"]
  replication_group_id = "tf-rep-group-1"
  replication_group_description = "test description"
  node_type = "cache.m4.large"
  number_cache_clusters = 2
  parameter_group_name = "default.redis3.2"
  port = 6379
  transit_encryption_enabled = true
  auth_token = "${var.auth_token}"
}

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "ReplicationGroup": { (1)
      "Type": "AWS::ElastiCache::ReplicationGroup",
      "Properties": {
        "AtRestEncryptionEnabled": true
      }
    }
  }
}
1 AtRestEncryptionEnabled set to true. 
Resources:
  ReplicationGroup: (1)
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      AtRestEncryptionEnabled: True
1 AtRestEncryptionEnabled set to true.

Terraform

resource "aws_elasticache_replication_group" "pass" {
  automatic_failover_enabled = true
  availability_zones = ["us-west-2a", "us-west-2b"]
  replication_group_id = "tf-rep-group-1"
  replication_group_description = "test description"
  node_type = "cache.m4.large"
  number_cache_clusters = 2
  parameter_group_name = "default.redis3.2"
  port = 6379
  at_rest_encryption_enabled = true // FIXED
  transit_encryption_enabled = true
  auth_token = "${var.auth_token}"
}

Runtime

CLI Command

When creating the Redis replication group with the aws command, the --at-rest-encryption-enabled could be used:

aws elasticache create-replication-group ... \
  --at-rest-encryption-enabled \
  ...