Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon ElastiCache for Redis clusters are configured with in-transit encryption enabled. In-transit encryption ensures that data transferred between Redis nodes and clients (such as EC2 instances or other services) is encrypted, protecting it from interception or eavesdropping. 

Rationale:

Redis is often used to store sensitive information such as session tokens, authentication credentials, and application data. Without encryption in transit, this data could be exposed to malicious actors who can intercept network traffic. Enabling in-transit encryption ensures that sensitive data remains protected during communication, mitigating the risks of man-in-the-middle attacks or data breaches. This is particularly important for compliance with standards like CIS, SOC 2, ISO 27001, and NIST 800-53. 

Impact:

  • Positive Impact: Secures data transfers between Redis clusters and clients, improving overall security posture by protecting sensitive data in transit.

  • Negative Impact: Enabling in-transit encryption may introduce a slight performance overhead due to the encryption and decryption operations during data transfer. 

Default Value:

By default, in-transit encryption is disabled for Redis clusters in ElastiCache. 

Pre-Requisite:

  • IAM permissions required: elasticache:DescribeCacheClusters, elasticache:ModifyCacheCluster.
  • A VPC with supported network configurations (i.e., Redis nodes within the same VPC).

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to ElastiCache → Redis.

  3. Select the target Redis cluster.

  4. Under the Cluster Details, check the Encryption in-transit setting.

  5. If in-transit encryption is not enabled, the cluster is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to ElastiCache → Redis.

  2. Select the Redis cluster that requires in-transit encryption.

  3. Click Modify and check the Enable encryption in-transit box.

  4. Ensure that the cluster is in a VPC and that all Redis clients can access the cluster securely.

  5. Review the settings and click Continue to apply changes.

  6. Once the settings are applied, verify that data is transmitted using encryption by checking the Encryption in-transit status.

Backout Plan:

Using AWS Console:

  1. If enabling in-transit encryption causes operational issues, temporarily disable the setting and investigate possible network configuration conflicts or client compatibility.
  2. Restore Redis cluster functionality without in-transit encryption while addressing root causes, and re-enable encryption once resolved.

References: