Ensure ElastiCache Redis Replication Groups Have AUTH Enabled

Overview

This check verifies that Amazon ElastiCache Redis replication groups running versions prior to 6.0 have Redis AUTH enabled. AUTH requires clients to provide a password before executing commands, adding a layer of security to your Redis deployment.

For Redis 6.0 and later, AWS recommends using Role-Based Access Control (RBAC) instead of AUTH tokens for more granular access management.

Risk

Without AUTH enabled on your ElastiCache Redis cluster, anyone with network access can connect and execute commands without authentication. This could allow attackers to:

• Read sensitive cached data (session tokens, user information)
• Modify or delete cached data
• Inject malicious data into your application cache
• Use your Redis instance as a pivot point for further attacks

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify ElastiCache replication groups
• Knowledge of which applications connect to your Redis cluster (they will need the AUTH token)

Important: Enabling AUTH requires transit encryption (TLS). If your cluster does not have transit encryption enabled, you will need to enable it first, which requires cluster recreation for some configurations.

AWS Console Method

1. Open the ElastiCache Console
2. In the left navigation, click Redis OSS caches
3. Select the replication group that needs AUTH enabled
4. Click the Modify button
5. Scroll to the Security section
6. Under Access control, select Redis OSS AUTH
7. Enter a strong AUTH token (16-128 printable characters)
8. Check Apply immediately if you want changes to take effect right away
9. Click Modify
10. Wait for the cluster status to return to Available

After enabling AUTH, update all applications that connect to this Redis cluster to include the AUTH token in their connection configuration.

AWS CLI

Enable AUTH on an existing replication group:

aws elasticache modify-replication-group \
    --replication-group-id my-redis-cluster \
    --auth-token "YourStrongAuthToken123!" \
    --auth-token-update-strategy SET \
    --apply-immediately \
    --region us-east-1

Parameters:

• --replication-group-id: Your Redis replication group identifier
• --auth-token: A strong password (16-128 printable characters, no spaces or quotes)
• --auth-token-update-strategy: Use SET for new tokens or ROTATE for token rotation
• --apply-immediately: Apply changes without waiting for the maintenance window

Note: If transit encryption is not enabled, you must enable it first:

aws elasticache modify-replication-group \
    --replication-group-id my-redis-cluster \
    --transit-encryption-enabled \
    --transit-encryption-mode required \
    --apply-immediately \
    --region us-east-1

Check the current AUTH status:

aws elasticache describe-replication-groups \
    --replication-group-id my-redis-cluster \
    --query 'ReplicationGroups[0].{AuthTokenEnabled:AuthTokenEnabled,TransitEncryptionEnabled:TransitEncryptionEnabled}' \
    --region us-east-1

CloudFormation

AWSTemplateFormatVersion: '2010-09-09'
Description: ElastiCache Redis replication group with AUTH enabled

Parameters:
  ReplicationGroupId:
    Type: String
    Description: Unique identifier for the replication group
    Default: my-redis-cluster

  AuthToken:
    Type: String
    Description: AUTH token for Redis authentication (16-128 characters)
    NoEcho: true
    MinLength: 16
    MaxLength: 128

  SubnetGroupName:
    Type: String
    Description: Name of the ElastiCache subnet group

Resources:
  RedisReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: !Ref ReplicationGroupId
      ReplicationGroupDescription: Redis replication group with AUTH enabled
      Engine: redis
      EngineVersion: '5.0.6'
      CacheNodeType: cache.t3.micro
      NumCacheClusters: 2
      Port: 6379
      TransitEncryptionEnabled: true
      AuthToken: !Ref AuthToken
      CacheSubnetGroupName: !Ref SubnetGroupName
      Tags:
        - Key: Environment
          Value: production

Outputs:
  ReplicationGroupId:
    Description: The ID of the Redis replication group
    Value: !Ref RedisReplicationGroup

  PrimaryEndpoint:
    Description: The primary endpoint address
    Value: !GetAtt RedisReplicationGroup.PrimaryEndPoint.Address

Best Practice: Store the AUTH token in AWS Secrets Manager and use dynamic references:

AuthToken: '{{resolve:secretsmanager:my-redis-auth-token:SecretString}}'

Terraform

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_elasticache_replication_group" "example" {
  replication_group_id       = "my-redis-cluster"
  description                = "Redis replication group with AUTH enabled"
  node_type                  = "cache.t3.micro"
  num_cache_clusters         = 2
  engine                     = "redis"
  engine_version             = "5.0.6"
  port                       = 6379

  # Security settings - AUTH requires transit encryption
  transit_encryption_enabled = true
  auth_token                 = var.redis_auth_token

  # Subnet group (required for VPC deployment)
  subnet_group_name          = aws_elasticache_subnet_group.example.name

  tags = {
    Environment = "production"
  }
}

variable "redis_auth_token" {
  description = "AUTH token for Redis authentication"
  type        = string
  sensitive   = true
}

resource "aws_elasticache_subnet_group" "example" {
  name       = "my-redis-subnet-group"
  subnet_ids = var.subnet_ids
}

variable "subnet_ids" {
  description = "List of subnet IDs for the ElastiCache subnet group"
  type        = list(string)
}

Best Practice: Store the AUTH token in AWS Secrets Manager or use Terraform variables with sensitive flag enabled.

Verification

After enabling AUTH, verify the configuration:

1. In the ElastiCache Console, select your replication group
2. Check that Auth token enabled shows Yes in the cluster details
3. Verify Encryption in-transit is also enabled

CLI Verification

aws elasticache describe-replication-groups \
    --replication-group-id my-redis-cluster \
    --query 'ReplicationGroups[0].{AuthTokenEnabled:AuthTokenEnabled,TransitEncryptionEnabled:TransitEncryptionEnabled,Status:Status}' \
    --region us-east-1

Expected output:

{
    "AuthTokenEnabled": true,
    "TransitEncryptionEnabled": true,
    "Status": "available"
}

Test the connection with AUTH (using redis-cli):

redis-cli -h your-cluster-endpoint.cache.amazonaws.com \
    --tls \
    -a "YourStrongAuthToken123!" \
    PING

Additional Resources

• ElastiCache Redis AUTH Documentation
• Authenticating with the Redis AUTH command
• Role-Based Access Control (RBAC) for Redis 6.0+
• ElastiCache Security Best Practices

Notes

• Transit encryption required: AUTH tokens can only be enabled when transit encryption (TLS) is also enabled. This ensures the token is not transmitted in plaintext.

• Application updates needed: After enabling AUTH, all client applications must be updated to provide the AUTH token when connecting. Plan for coordinated deployment.

• Redis 6.0+ consideration: If you are running Redis 6.0 or later, consider using RBAC (Role-Based Access Control) instead of AUTH. RBAC provides more granular access control with user-specific permissions.

• Token rotation: You can rotate AUTH tokens without downtime using the ROTATE strategy. This allows you to set a new token while the old one remains valid temporarily.

• Token requirements: AUTH tokens must be 16-128 printable ASCII characters. Avoid using characters that might cause issues in connection strings (like @, :, /).