Ensure ElastiCache Redis Cache Clusters Have At-Rest Encryption Enabled

Overview

This check verifies that your Amazon ElastiCache for Redis replication groups have encryption at rest enabled. Encryption at rest protects on-disk cache data and backups from unauthorized access.

Risk

Without encryption at rest, cached data stored on disk and in backups is vulnerable if storage is compromised. Sensitive information such as secrets, tokens, and personally identifiable information (PII) could be exposed, potentially breaking confidentiality and enabling lateral movement through offline analysis of cached data.

Remediation Steps

Prerequisites

You need:

• AWS account access with permissions to manage ElastiCache resources
• Access to the AWS Console or AWS CLI

Important: Encryption at rest cannot be enabled on an existing replication group. You must create a new encrypted replication group and migrate your data.

AWS Console Method

1. Sign in to the AWS Console and navigate to ElastiCache
2. In the left navigation, select Redis OSS caches
3. Select the unencrypted replication group you want to secure
4. Choose Actions > Backup
5. Enter a name for the backup (e.g., my-redis-backup-before-encryption)
6. Wait for the backup to complete (status shows "available")
7. Navigate to Backups in the left navigation
8. Select your backup and choose Restore
9. Configure the new replication group:
   • Enter a new replication group ID (e.g., my-redis-encrypted)
   • Under Security, enable Encryption at rest
   • Optionally select a KMS key (default AWS managed key is acceptable)
   • Enable Encryption in transit for additional security
10. Complete the remaining configuration and choose Create
11. Wait for the new replication group to become available
12. Update your application to use the new endpoint addresses
13. Verify your application works correctly with the new cluster
14. Delete the original unencrypted replication group

AWS CLI (optional)

Check current encryption status:

aws elasticache describe-replication-groups \
    --replication-group-id my-redis-cluster \
    --region us-east-1 \
    --query "ReplicationGroups[0].AtRestEncryptionEnabled"

Create a backup of your existing cluster:

aws elasticache create-snapshot \
    --replication-group-id my-redis-cluster \
    --snapshot-name my-redis-backup-before-encryption \
    --region us-east-1

Create a new encrypted replication group from the backup:

aws elasticache create-replication-group \
    --replication-group-id my-redis-encrypted \
    --replication-group-description "Redis cluster with encryption at rest" \
    --snapshot-name my-redis-backup-before-encryption \
    --cache-node-type cache.t3.micro \
    --num-cache-clusters 2 \
    --cache-subnet-group-name my-subnet-group \
    --security-group-ids sg-12345678 \
    --at-rest-encryption-enabled \
    --transit-encryption-enabled \
    --automatic-failover-enabled \
    --region us-east-1

Get the new endpoint addresses:

aws elasticache describe-replication-groups \
    --replication-group-id my-redis-encrypted \
    --region us-east-1 \
    --query "ReplicationGroups[0].{Primary:NodeGroups[0].PrimaryEndpoint.Address,Reader:NodeGroups[0].ReaderEndpoint.Address}"

Delete the old unencrypted replication group (after verifying the new one works):

aws elasticache delete-replication-group \
    --replication-group-id my-redis-cluster \
    --region us-east-1

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: ElastiCache Redis Replication Group with encryption at rest

Parameters:
  ReplicationGroupId:
    Type: String
    Description: The replication group identifier
    Default: my-redis-cluster

  CacheNodeType:
    Type: String
    Description: The compute and memory capacity of the nodes
    Default: cache.t3.micro

  NumCacheClusters:
    Type: Number
    Description: Number of cache clusters (nodes) in the replication group
    Default: 2
    MinValue: 1
    MaxValue: 6

  SubnetGroupName:
    Type: String
    Description: The name of the cache subnet group

  SecurityGroupIds:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: List of VPC security group IDs

Resources:
  RedisReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: !Ref ReplicationGroupId
      ReplicationGroupDescription: Redis cluster with encryption at rest enabled
      Engine: redis
      EngineVersion: '7.0'
      CacheNodeType: !Ref CacheNodeType
      NumCacheClusters: !Ref NumCacheClusters
      CacheSubnetGroupName: !Ref SubnetGroupName
      SecurityGroupIds: !Ref SecurityGroupIds
      AtRestEncryptionEnabled: true
      TransitEncryptionEnabled: true
      AutomaticFailoverEnabled: true
      MultiAZEnabled: true
      Port: 6379

Outputs:
  PrimaryEndpoint:
    Description: The primary endpoint address
    Value: !GetAtt RedisReplicationGroup.PrimaryEndPoint.Address

  ReaderEndpoint:
    Description: The reader endpoint address
    Value: !GetAtt RedisReplicationGroup.ReaderEndPoint.Address

Terraform (optional)

resource "aws_elasticache_replication_group" "redis" {
  replication_group_id       = "my-redis-encrypted"
  description                = "Redis cluster with encryption at rest enabled"
  engine                     = "redis"
  engine_version             = "7.0"
  node_type                  = "cache.t3.micro"
  num_cache_clusters         = 2
  subnet_group_name          = "my-subnet-group"
  security_group_ids         = ["sg-12345678"]
  port                       = 6379

  # Security settings
  at_rest_encryption_enabled = true
  transit_encryption_enabled = true

  # High availability settings
  automatic_failover_enabled = true
  multi_az_enabled           = true

  tags = {
    Name = "my-redis-encrypted"
  }
}

output "primary_endpoint_address" {
  description = "The address of the endpoint for the primary node"
  value       = aws_elasticache_replication_group.redis.primary_endpoint_address
}

output "reader_endpoint_address" {
  description = "The address of the endpoint for the reader node"
  value       = aws_elasticache_replication_group.redis.reader_endpoint_address
}

Verification

After remediation, verify that encryption at rest is enabled:

1. In the AWS Console, navigate to ElastiCache > Redis OSS caches
2. Select your replication group
3. In the Details section, confirm Encryption at-rest shows Enabled

CLI verification

aws elasticache describe-replication-groups \
    --replication-group-id my-redis-encrypted \
    --region us-east-1 \
    --query "ReplicationGroups[0].AtRestEncryptionEnabled"

Expected output: true

Additional Resources

• AWS ElastiCache Data Security Documentation
• ElastiCache Encryption at Rest
• AWS KMS Keys for ElastiCache
• Prowler ElastiCache Checks

Notes

• Migration required: Encryption at rest cannot be enabled on existing replication groups. You must create a new encrypted cluster and migrate your data.
• Application changes: After creating the new encrypted cluster, you must update your application configuration to use the new endpoint addresses.
• KMS key considerations: Using a customer-managed KMS key provides more control over key rotation and access policies. The default AWS managed key is sufficient for most use cases.
• Performance: Encryption at rest has minimal performance impact as the encryption/decryption is handled transparently by AWS.
• Cost: There is no additional charge for encryption at rest, but customer-managed KMS keys incur standard KMS charges.
• Compliance: This check maps to frameworks including C5, ISO27001, KISA-ISMS-P, and PCI DSS.