Skip to main content

πŸ›‘οΈ AWS ElastiCache Replication Group is not encrypted at rest🟒

  • Contextual name: πŸ›‘οΈ Replication Group is not encrypted at rest🟒
  • ID: /ce/ca/aws/elasticache/replication-group-encryption-at-rest
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS ElastiCache Replication Groups that are not configured with encryption at rest. Encryption at rest protects data stored on disk by encrypting it with a key managed through AWS Key Management Service (KMS).

Rationale​

Enabling encryption at rest is a critical security control that protects sensitive data in ElastiCache for Redis clusters. It ensures that if the underlying storage media is accessed or compromised, the data remains unreadable without the appropriate decryption key.

Audit​

This policy flags an AWS ElastiCache Replication Group as INCOMPLIANT if the At Rest Encryption Enabled checkbox is set to false.

The Replication Group is marked as INAPPLICABLE if its Status is not available.

Remediation​

Open File

Remediation​

Enable At-Rest Encryption​

Encryption at rest cannot be enabled on an existing ElastiCache replication group directly. You must create a new replication group from a backup with encryption enabled.

From Command Line​

  1. Create a manual backup of your existing replication group:

    aws elasticache create-snapshot \
      --replication-group-id {{replication-group-id}} \
      --snapshot-name {{snapshot-name}}

  2. Create a new replication group from the snapshot with encryption at rest enabled:

    aws elasticache create-replication-group \
      --replication-group-id {{new-replication-group-id}} \
      --replication-group-description "Replication group with at-rest encryption enabled" \
      --engine redis \
      --snapshot-name {{snapshot-name}} \
      --at-rest-encryption-enabled \
      --transit-encryption-enabled \
      --auth-token {{auth-token}} \
      --cache-node-type {{cache-node-type}} \
      --engine-version {{engine-version}} \
      --cache-subnet-group-name {{subnet-group}} \

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ElastiCache.4] ElastiCache replication groups should be encrypted at rest1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP02 Enforce encryption at rest19no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption66no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)16no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)16no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1640no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1735no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)524no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)40no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)135no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)40no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)135no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected173no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected149no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected169no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks39no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management16no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration16no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection429no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31736no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1024no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection25no data