Profile Applicability:
- Level 1
Description:
Amazon ElastiCache provides managed Redis and Memcached services for in-memory caching. At-rest encryption ensures that the data stored in the cache is encrypted, protecting it from unauthorized access at the physical level. In Redis, enabling at-rest encryption encrypts the data stored on disk and the backup snapshots. This SOP ensures that Redis cache clusters are configured with at-rest encryption enabled, improving data security.
Rationale:
At-rest encryption protects the data stored in the Redis cache by encrypting it while it is stored on the disk. This ensures that even if an unauthorized party gains access to the storage medium, they cannot read or tamper with the data. Enabling at-rest encryption in ElastiCache Redis is crucial for securing sensitive data, ensuring compliance with data protection regulations, and maintaining the integrity of cached data.
Impact:
Pros:
Improved Security: Data stored on disk is encrypted, reducing the risk of unauthorized access.
Compliance: Meets security standards and data protection regulations, such as GDPR, HIPAA, or PCI-DSS.
Data Integrity: Ensures that cached data is protected from tampering at rest.
Cons:
Performance Overhead: Enabling encryption may introduce a slight performance overhead due to encryption and decryption processes.
Cost: Enabling at-rest encryption might incur additional charges for storing the encrypted data and managing the encryption keys.
Default Value:
By default, at-rest encryption is not enabled for ElastiCache Redis clusters. It must be explicitly configured during the creation or modification of the cache cluster.
Pre-requisite:
AWS IAM Permissions:
elasticache:DescribeCacheClusters
elasticache:ModifyCacheCluster
AWS CLI installed and configured.
Basic understanding of Amazon ElastiCache, Redis, and encryption in AWS.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to ElastiCache under Services.
In the ElastiCache Dashboard, select Redis from the list of clusters.
Choose a Redis cache cluster and verify its at-rest encryption setting:
Check if the Encryption at rest option is enabled for the cluster.
If Encryption at rest is not enabled, the setting will show as Disabled.
Using AWS CLI:
To check if at-rest encryption is enabled for a Redis cache cluster, run the following command:
aws elasticache describe-cache-clusters --cache-cluster-id <cluster-id> --query 'CacheClusters[*].{ID:CacheClusterId,EncryptionAtRest:EncryptionAtRestEnabled}' --output tableIf the EncryptionAtRestEnabled field is false, it means at-rest encryption is not enabled for the cluster.
Implementation Steps:
Using AWS Console:
Open the AWS Management Console
Navigate to ElastiCache.
Choose Redis from the list of available clusters.
Select the Redis cluster you want to modify.
Click on Modify.
In the Encryption at Rest section, check the box to enable at-rest encryption.
Choose an AWS KMS key for encryption, or create a new one if needed.
Click Apply Immediately to save the changes.
Using AWS CLI:
To enable at-rest encryption for an existing Redis cache cluster, run the following command:
aws elasticache modify-cache-cluster --cache-cluster-id <cluster-id> --at-rest-encryption-enabled --apply-immediately
If you need to specify a custom KMS key for encryption, use:
aws elasticache modify-cache-cluster --cache-cluster-id <cluster-id> --at-rest-encryption-enabled --kms-key-id <kms-key-id> --apply-immediately
To verify that at-rest encryption has been enabled, run:
aws elasticache describe-cache-clusters --cache-cluster-id <cluster-id> --query 'CacheClusters[*].{ID:CacheClusterId,EncryptionAtRest:EncryptionAtRestEnabled}' --output tableBackout Plan:
If enabling at-rest encryption causes issues or performance degradation:
Identify the affected Redis cache cluster.
Revert the changes by disabling at-rest encryption:
aws elasticache modify-cache-cluster --cache-cluster-id <cluster-id> --at-rest-encryption-disabled --apply-immediately
Verify that the cache cluster is functioning as expected without encryption enabled