AWS ElastiCache Redis cluster with encryption for data at rest disabled
Description
ElastiCache for Redis offers default encryption at rest as a service, as well as the ability to use your own symmetric customer-managed customer master keys in AWS Key Management Service (KMS).
ElastiCache for Redis at-rest encryption encrypts the following aspects:
- Disk during sync, backup and swap operations
- Backups stored in Amazon S3
Code Example
shell
{
"aws elasticache create-replication-group \\
--replication-group-id my-classic-rg \\
--replication-group-description "3 node replication group" \\
--cache-node-type cache.m4.large \\
--engine redis \\
--engine-version 4.0.10 \\
--at-rest-encryption-enabled \\
--num-cache-clusters 3 \\
--cache-parameter-group default.redis4.0
",
}Remediation
- ElastiCache Console To create a replication group using the * ElastiCache console*, make the following selections:*
. Engine: redis.
. Engine version: 3.2.6, 4.0.10 or later.
. Encryption at-rest list: Yes.
- CLI Command*
The following operation creates the Redis (cluster mode disabled) replication group my-classic-rg with three nodes (--num-cache-clusters), a primary and two read replicas. At-rest encryption is enabled for this replication group (--at-rest-encryption-enabled).
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0083 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_29 |