Data stored in the ElastiCache Replication Group is not securely encrypted in-transit
Description
In Amazon ElastiCache, the Redis authentication command asks users to enter a password prior to being granted permission to execute Redis commands on a password-protected server. Authentication can only be enabled when you are creating clusters with the in-transit encryption option enabled. When Redis authentication is enabled, users are required to pass through an additional layer of authentication before gaining access to the server and gaining permission to perform actions.
We recommend that all data stored in the ElastiCache Replication Group is securely encrypted in-transit with an authentication token.
Fix - Runtime
Procedure
To authenticate a user using Redis AUTH create a new Redis Cluster with the following parameters enabled:
- transit-encryption-enabled
- auth-token.
CLI Command
The following AWS CLI operation modifies a replication group to rotate the AUTH token This-is-the-rotated-token.
aws elasticache modify-replication-group \
--replication-group-id authtestgroup \
--auth-token This-is-the-rotated-token \
--auth-token-update-strategy ROTATE \
--apply-immediately
Fix - Buildtime
Terraform
- Resource: aws_elasticache_replication_group
- Argument: auth_token - (Optional) The password used to access a password protected server. Can be specified only if transit_encryption_enabled = true
resource "aws_elasticache_replication_group" "example" {
...
at_rest_encryption_enabled = true
+ auth_token = var.auth_token
+ transit_encryption_enabled = true
...
}
CloudFormation
- Resource: AWS::ElastiCache::ReplicationGroup
- Argument: AuthToken - (Optional) The password used to access a password protected server. Can be specified only if TransitEncryptionEnabled = true
Resources:
ReplicationGroup:
Type: 'AWS::ElastiCache::ReplicationGroup'
Properties:
...
+ AuthToken: 'MySecret!AuthToken$'
+ TransitEncryptionEnabled: True