Skip to main content

Ensure ElastiCache Redis Cache Clusters Have In-Transit Encryption Enabled

Overview

This check verifies that your Amazon ElastiCache for Redis replication groups have TLS-based in-transit encryption enabled. In-transit encryption protects data as it travels between your applications and Redis, as well as between Redis nodes in a cluster.

Risk

Without in-transit encryption, network traffic between your applications and Redis instances is sent in plain text. This creates several security risks:

  • Eavesdropping: Attackers on the network can intercept and read sensitive cached data
  • Man-in-the-middle attacks: Malicious actors could intercept and modify data in transit
  • Credential theft: Session tokens, passwords, and other credentials stored in cache could be exposed
  • Compliance violations: Many regulatory frameworks require encryption of data in transit

Remediation Steps

Prerequisites

You need:

  • Access to the AWS Console with permissions to modify ElastiCache clusters
  • The name of the Redis replication group you want to update
Required IAM permissions

Your IAM user or role needs these permissions:

  • elasticache:DescribeReplicationGroups
  • elasticache:ModifyReplicationGroup

Example IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticache:DescribeReplicationGroups",
        "elasticache:ModifyReplicationGroup"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

  1. Open the Amazon ElastiCache console
  2. In the left navigation, select Redis OSS caches (or Valkey caches)
  3. Select the replication group you want to modify
  4. Click Actions, then choose Modify
  5. Scroll to the Security section
  6. For Encryption in transit, select Enabled
  7. For Transit encryption mode, choose:
    • Preferred - allows both encrypted and unencrypted connections (good for migration)
    • Required - only allows encrypted connections (recommended for production)
  8. Check Apply immediately if you want changes to take effect now
  9. Click Modify

Important: Enabling in-transit encryption may cause a brief service interruption. Plan this change during a maintenance window if possible.

AWS CLI (optional)

Check current encryption status:

aws elasticache describe-replication-groups \
  --replication-group-id <your-replication-group-id> \
  --region us-east-1 \
  --query "ReplicationGroups[0].TransitEncryptionEnabled"

Enable in-transit encryption (preferred mode):

aws elasticache modify-replication-group \
  --replication-group-id <your-replication-group-id> \
  --transit-encryption-enabled \
  --transit-encryption-mode preferred \
  --apply-immediately \
  --region us-east-1

Enable in-transit encryption (required mode - stricter):

aws elasticache modify-replication-group \
  --replication-group-id <your-replication-group-id> \
  --transit-encryption-enabled \
  --transit-encryption-mode required \
  --apply-immediately \
  --region us-east-1

Replace <your-replication-group-id> with your actual replication group identifier.

CloudFormation (optional)

Use this CloudFormation template to create a new Redis replication group with in-transit encryption enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: ElastiCache Redis replication group with in-transit encryption enabled

Parameters:
  ReplicationGroupId:
    Type: String
    Description: The replication group identifier
    Default: my-redis-cluster
  CacheNodeType:
    Type: String
    Description: The compute and memory capacity of the nodes
    Default: cache.t3.micro
  NumCacheClusters:
    Type: Number
    Description: The number of cache clusters (nodes) in the replication group
    Default: 2
  SubnetGroupName:
    Type: String
    Description: The name of the cache subnet group
  SecurityGroupIds:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: List of VPC security group IDs

Resources:
  RedisReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: !Ref ReplicationGroupId
      ReplicationGroupDescription: Redis replication group with in-transit encryption
      CacheNodeType: !Ref CacheNodeType
      Engine: redis
      NumCacheClusters: !Ref NumCacheClusters
      AutomaticFailoverEnabled: true
      MultiAZEnabled: true
      CacheSubnetGroupName: !Ref SubnetGroupName
      SecurityGroupIds: !Ref SecurityGroupIds
      TransitEncryptionEnabled: true
      AtRestEncryptionEnabled: true

Outputs:
  ReplicationGroupEndpoint:
    Description: The primary endpoint address
    Value: !GetAtt RedisReplicationGroup.PrimaryEndPoint.Address
  ReplicationGroupPort:
    Description: The primary endpoint port
    Value: !GetAtt RedisReplicationGroup.PrimaryEndPoint.Port

Deploy the stack:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name redis-encrypted-cluster \
  --parameter-overrides \
    SubnetGroupName=<your-subnet-group> \
    SecurityGroupIds=<sg-xxxxxxxx> \
  --region us-east-1
Terraform (optional)
resource "aws_elasticache_replication_group" "redis" {
  replication_group_id       = "my-redis-cluster"
  description                = "Redis replication group with in-transit encryption"
  node_type                  = "cache.t3.micro"
  num_cache_clusters         = 2
  automatic_failover_enabled = true
  multi_az_enabled           = true
  subnet_group_name          = var.subnet_group_name
  security_group_ids         = var.security_group_ids

  # Enable in-transit encryption (TLS)
  transit_encryption_enabled = true

  # Also enable at-rest encryption for comprehensive protection
  at_rest_encryption_enabled = true

  # Engine settings
  engine               = "redis"
  engine_version       = "7.0"
  parameter_group_name = "default.redis7"

  tags = {
    Name = "my-redis-cluster"
  }
}

output "primary_endpoint_address" {
  description = "The primary endpoint address"
  value       = aws_elasticache_replication_group.redis.primary_endpoint_address
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify that in-transit encryption is enabled:

  1. In the ElastiCache console, select your replication group
  2. Check the Details tab
  3. Confirm Encryption in-transit shows Enabled
CLI verification
aws elasticache describe-replication-groups \
  --replication-group-id <your-replication-group-id> \
  --region us-east-1 \
  --query "ReplicationGroups[0].{TransitEncryptionEnabled:TransitEncryptionEnabled,TransitEncryptionMode:TransitEncryptionMode}"

Expected output:

{
    "TransitEncryptionEnabled": true,
    "TransitEncryptionMode": "required"
}

Additional Resources

Notes

  • Application updates required: When you enable in-transit encryption, your application must connect using TLS. Update your Redis client configuration to use TLS connections.
  • Performance impact: TLS encryption adds minimal overhead but may slightly increase latency. For most workloads, this is negligible.
  • Existing clusters: You can enable in-transit encryption on existing Redis 7.0+ replication groups. Older versions may require creating a new cluster.
  • Transit encryption modes:
    • Preferred: Accepts both TLS and non-TLS connections. Use this during migration.
    • Required: Only accepts TLS connections. Use this for maximum security after migration.
  • Combine with other security controls: For comprehensive protection, also enable at-rest encryption, use Redis AUTH or RBAC, and restrict network access with security groups.