Profile Applicability:
- Level 1
Description:
Securing access to Amazon ElastiCache is essential for preventing unauthorized access to in-memory data. Proper configuration of VPCs, security groups, and access control ensures that only authorized users and applications can access ElastiCache clusters.
Rationale:
By securing ElastiCache access, you ensure that sensitive data stored in the cache is not exposed to unauthorized users or services. This minimizes the risk of data leaks and malicious exploitation of cached data. Proper access control is vital to maintaining the confidentiality, integrity, and availability of cached data.
Impact:
If ElastiCache is not properly secured, it may be exposed to unauthorized access, leading to potential data breaches, unauthorized data manipulation, or service disruptions. Securing ElastiCache access minimizes this risk and strengthens overall security.
Default Value:
By default, ElastiCache does not have encryption in-transit or secure VPC settings enabled for all clusters. Access to ElastiCache is not restricted by VPCs or security groups unless configured.
Pre-requisites:
An AWS account
ElastiCache cluster created
Understanding of VPC, security groups, and IAM roles
Familiarity with encryption methods such as in-transit and at-rest encryption
Remediation:
Test Plan:
Using AWS Console:
Navigate to ElastiCache Dashboard.
Select the ElastiCache cluster and verify that it is within a VPC and uses proper security groups.
Ensure that Encryption in-transit and Encryption at-rest are enabled for sensitive clusters.
Review IAM roles and policies for access control to ElastiCache.
Verify that only trusted sources are allowed to access ElastiCache through security group rules.
Using AWS CLI:
Run the following command to check the VPC and security group configuration:
aws elasticache describe-cache-clusters --cache-cluster-id <cluster-id> --query "CacheClusters[].{CacheClusterId:CacheClusterId, VpcId:VpcId, SecurityGroups:SecurityGroups}"Check if encryption is enabled for the cluster:
aws elasticache describe-cache-clusters --cache-cluster-id <cluster-id> --query "CacheClusters[].{EncryptionAtRest:AtRestEncryptionEnabled, EncryptionInTransit:TransitEncryptionEnabled}"Verify the security groups for access:
aws ec2 describe-security-groups --group-ids <group-id>
Implementation Plan
Using AWS Console:
In the ElastiCache Console, navigate to Modify your cache cluster.
Enable Encryption in-transit and Encryption at-rest for the cluster.
Ensure the cluster is inside a VPC, and attach the correct security group with restricted inbound and outbound access.
Review IAM roles and ensure that access to ElastiCache is limited to specific users and services by configuring the appropriate IAM policies.
Using AWS CLI:
Create a security group and add the appropriate inbound rules:
aws ec2 create-security-group --group-name ElastiCacheSecurityGroup --description "Security group for ElastiCache" --vpc-id <vpc-id>
Enable Encryption at-rest and Encryption in-transit during cluster creation or modification:
aws elasticache modify-cache-cluster --cache-cluster-id <cluster-id> --at-rest-encryption-enabled --transit-encryption-enabled --apply-immediately
Attach the security group to the ElastiCache cluster:
aws elasticache modify-cache-cluster --cache-cluster-id <cluster-id> --security-group-ids <sg-id> --apply-immediately
Backout Plan
Using AWS Console:
Navigate to the ElastiCache Dashboard and Modify the cluster.
Disable Encryption in-transit and Encryption at-rest if necessary.
Detach the security group and apply the previous configuration.
Using AWS CLI:
Modify the ElastiCache cluster to disable encryption:
aws elasticache modify-cache-cluster --cache-cluster-id <cluster-id> --no-transit-encryption-enabled --no-at-rest-encryption-enabled --apply-immediately
Remove the security group from the cluster:
aws elasticache modify-cache-cluster --cache-cluster-id <cluster-id> --security-group-ids <previous-sg-id> --apply-immediately
References: