🛡️ AWS ElastiCache Replication Group is not encrypted at rest🟢

Contextual name: 🛡️ Replication Group is not encrypted at rest🟢
ID: /ce/ca/aws/elasticache/replication-group-encryption-at-rest
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS ElastiCache Replication Group
- 🔌 AWS ElastiCache Replication Group - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [ElastiCache.4] ElastiCache replication groups should be encrypted at rest

Description

Description

This policy identifies AWS ElastiCache Replication Groups that are not configured with encryption at rest. Encryption at rest protects data stored on disk by encrypting it with a key managed through AWS Key Management Service (KMS).

Rationale

Enabling encryption at rest is a critical security control that protects sensitive data in ElastiCache for Redis clusters. It ensures that if the underlying storage media is accessed or compromised, the data remains unreadable without the appropriate decryption key.

Audit

This policy flags an AWS ElastiCache Replication Group as INCOMPLIANT if the At Rest Encryption Enabled checkbox is set to false.

The Replication Group is marked as INAPPLICABLE if its Status is not available.

Remediation

Open File

Remediation

Enable At-Rest Encryption

Encryption at rest cannot be enabled on an existing ElastiCache replication group directly. You must create a new replication group from a backup with encryption enabled.

From Command Line
Create a manual backup of your existing replication group:
aws elasticache create-snapshot \
    --replication-group-id {{replication-group-id}} \
    --snapshot-name {{snapshot-name}}
Create a new replication group from the snapshot with encryption at rest enabled:
aws elasticache create-replication-group \
    --replication-group-id {{new-replication-group-id}} \
    --replication-group-description "Replication group with at-rest encryption enabled" \
    --engine redis \
    --snapshot-name {{snapshot-name}} \
    --at-rest-encryption-enabled \
    --transit-encryption-enabled \
    --auth-token {{auth-token}} \
    --cache-node-type {{cache-node-type}} \
    --engine-version {{engine-version}} \
    --cache-subnet-group-name {{subnet-group}} \
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.4] ElastiCache replication groups should be encrypted at rest			1	no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			20	no data
💼 Cloudaware Framework → 💼 Data Encryption			70	no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			17	no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			18	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43	no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	36	no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	25	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43	no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36	no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			17	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			18	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	25	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Enable At-Rest Encryption​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Enable At-Rest Encryption

From Command Line

policy.yaml

Linked Framework Sections