AWS ElastiCache Redis cluster with Redis AUTH feature disabled
Description
In Amazon ElastiCache, the Redis authentication command asks users to enter a password prior to being granted permission to execute Redis commands on a password-protected server. Authentication can only be enabled when you are creating clusters with the in-transit encryption option enabled. When Redis authentication is enabled, users are required to pass through an additional layer of authentication before gaining access to the server and gaining permission to perform actions. We recommend that all data stored in the ElastiCache Replication Group is securely encrypted in-transit with an authentication token.
Code Example
{
"aws elasticache modify-replication-group \\
--replication-group-id authtestgroup \\
--auth-token This-is-the-rotated-token \\
--auth-token-update-strategy ROTATE \\
--apply-immediately
",
}Remediation
- Procedure*
To authenticate a user using * Redis AUTH* create a new * Redis Cluster* with the following parameters enabled:
transit-encryption-enabled
auth-token.
CLI Command*
The following AWS CLI operation modifies a replication group to rotate the AUTH token This-is-the-rotated-token.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0085 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_31 |