Profile Applicability:

  • Level 1

Description:

Amazon ElastiCache provides managed Redis and Memcached services for in-memory caching. Redis supports authentication using the AUTH command, allowing clients to securely connect to Redis instances. For earlier Redis versions (such as Redis 5.x or older) that do not have encryption at rest enabled by default, it is important to ensure that Redis OSS AUTH is enabled to require password authentication for client connections. This ensures that only authorized clients can access the Redis replication groups, improving security.

Rationale:

Enabling Redis OSS AUTH (password-based authentication) in earlier Redis versions helps mitigate the risk of unauthorized access to your Redis cluster. Without authentication, any client with network access to the Redis cluster could potentially issue commands and access sensitive data. For earlier versions of Redis that don't have encryption enabled, enabling authentication provides an additional layer of security. This is particularly important in production environments where data privacy and protection are critical.

Impact:

Pros:

  • Enhanced Security: Requires clients to authenticate with a password before accessing the Redis replication group, preventing unauthorized access.

  • Compliance: Meets security best practices for authentication and access control in Redis.

  • Data Protection: Protects sensitive data in the Redis store by ensuring that only authorized clients can connect.

Cons:

  • Management Overhead: You need to manage and securely store passwords for all clients connecting to the Redis cluster.

  • Legacy Compatibility: Some older applications may not be compatible with Redis AUTH, requiring updates to support password-based authentication.

Default Value:

By default, earlier versions of ElastiCache Redis (such as 5.x or older) may not have Redis OSS AUTH enabled. Enabling AUTH requires manual configuration through the ElastiCache Console or AWS CLI.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticache:DescribeReplicationGroups

    • elasticache:ModifyReplicationGroup

  • AWS CLI installed and configured.

  • Basic understanding of Amazon ElastiCache, Redis, and Redis AUTH configuration.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to ElastiCache under Services.

  3. In the ElastiCache Dashboard, select Redis replication groups.

  4. Select a Replication Group for which you want to check Redis OSS AUTH.

  5. Review the Replication Group Settings:

    • Ensure that the Redis AUTH option is enabled for the selected Redis version.

    • If AUTH is not enabled, it will be noted in the Cluster Settings.

Using AWS CLI:

To list all Redis replication groups and check if Redis AUTH is enabled, run the following command:

aws elasticache describe-replication-groups --query 'ReplicationGroups[*].{ID:ReplicationGroupId, AuthEnabled:AtRestEncryptionEnabled}' --output table

Check the AuthEnabled field for each replication group:

  • If AuthEnabled is false, Redis AUTH is not enabled.

  • If AuthEnabled is true, Redis AUTH is enabled.

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to ElastiCache.

  3. Select Redis from the list of replication groups.

  4. Click Modify Replication Group.

  5. In the Settings section, locate the Redis AUTH setting.

  6. Enable Redis OSS AUTH by setting a password. Ensure that this password is securely stored and only provided to authorized clients.

  7. Save the changes and apply them to the replication group.

Using AWS CLI:

To enable Redis AUTH for a specific Redis replication group, run the following command:

aws elasticache modify-replication-group --replication-group-id <replication-group-id> --auth-token <password> --apply-immediately

Verify that the AUTH token has been successfully applied:

aws elasticache describe-replication-groups --replication-group-id <replication-group-id> --query 'ReplicationGroups[*].{ID:ReplicationGroupId, AuthEnabled:AtRestEncryptionEnabled}'

Backout Plan:

If enabling Redis AUTH causes issues with clients or application connectivity:

Identify the affected Redis replication group.

Revert the changes by removing the AUTH token:

aws elasticache modify-replication-group --replication-group-id <replication-group-id> --auth-token "" --apply-immediately

Verify that clients are able to connect without authentication and that the Redis replication group is functioning as expected.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.