Skip to main content

πŸ›‘οΈ AWS ElastiCache Replication Group is not encrypted at rest🟒

  • Contextual name: πŸ›‘οΈ Replication Group is not encrypted at rest🟒
  • ID: /ce/ca/aws/elasticache/replication-group-encryption-at-rest
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS ElastiCache Replication Groups that are not configured with encryption at rest. Encryption at rest protects data stored on disk by encrypting it with a key managed through AWS Key Management Service (KMS).

Rationale​

Enabling encryption at rest is a critical security control that protects sensitive data in ElastiCache for Redis clusters. It ensures that if the underlying storage media is accessed or compromised, the data remains unreadable without the appropriate decryption key.

Audit​

This policy flags an AWS ElastiCache Replication Group as INCOMPLIANT if the At Rest Encryption Enabled checkbox is set to false.

The Replication Group is marked as INAPPLICABLE if its Status is not available.

Remediation​

Open File

Remediation​

Enable At-Rest Encryption​

Encryption at rest cannot be enabled on an existing ElastiCache replication group directly. You must create a new replication group from a backup with encryption enabled.

From Command Line​

  1. Create a manual backup of your existing replication group:

    aws elasticache create-snapshot \
      --replication-group-id {{replication-group-id}} \
      --snapshot-name {{snapshot-name}}

  2. Create a new replication group from the snapshot with encryption at rest enabled:

    aws elasticache create-replication-group \
      --replication-group-id {{new-replication-group-id}} \
      --replication-group-description "Replication group with at-rest encryption enabled" \
      --engine redis \
      --snapshot-name {{snapshot-name}} \
      --at-rest-encryption-enabled \
      --transit-encryption-enabled \
      --auth-token {{auth-token}} \
      --cache-node-type {{cache-node-type}} \
      --engine-version {{engine-version}} \
      --cache-subnet-group-name {{subnet-group}} \

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ElastiCache.4] ElastiCache replication groups should be encrypted at rest1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP02 Enforce encryption at rest14no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption54no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)12no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)12no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1632no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1731no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)520no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)32no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)131no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)20no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)32no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)131no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)20no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected159no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected135no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected151no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks31no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection421no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31732no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1020no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection19no data