🛡️ AWS ElastiCache Replication Group is not encrypted in-transit🟢

Contextual name: 🛡️ Replication Group is not encrypted in-transit🟢
ID: /ce/ca/aws/elasticache/replication-group-in-transit-encryption
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS ElastiCache Replication Group
- 🔌 AWS ElastiCache Replication Group - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [ElastiCache.5] ElastiCache replication groups should be encrypted in transit

Description

Description

This policy identifies AWS ElastiCache Replication Groups that are not configured to enforce encryption of data in-transit. Encryption in-transit ensures that all communication to and from the Redis cluster is protected using Transport Layer Security (TLS).

Rationale

Enabling in-transit encryption protects data while it moves over the network. Without it, sensitive information exchanged between your applications and the Redis cluster could be intercepted by unauthorized parties.

Enforcing TLS mitigates the risk of eavesdropping and man-in-the-middle (MITM) attacks, ensuring both the confidentiality and integrity of your data, especially in environments where network traffic traverses untrusted networks.

Audit

This policy flags an AWS ElastiCache Replication Group as INCOMPLIANT if the Transit Encryption Enabled checkbox is set to false.

The Replication Group is marked as INAPPLICABLE if its Status is not available.

Remediation

Open File

Remediation

Enable In-Transit Encryption on an Existing Replication Group

Enabling in-transit encryption for an existing ElastiCache replication group is a two-step process. You must first set the transit encryption mode to preferred, which allows both encrypted and unencrypted connections. After all clients are migrated to use encrypted connections, you can then set the mode to required, which enforces encrypted connections only.

From Command Line
Set transit encryption mode to preferred

This step enables in-transit encryption and allows clients to connect using both encrypted and unencrypted connections:
aws elasticache modify-replication-group \
  --replication-group-id {{replication-group-id}} \
  --transit-encryption-enabled \
  --transit-encryption-mode preferred \
  --apply-immediately
Wait for the replication group to finish updating before proceeding to the next step.
Migrate all clients to use encrypted connections.

Set transit encryption mode to required
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.5] ElastiCache replication groups should be encrypted in transit			1	no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			20	no data
💼 Cloudaware Framework → 💼 Data Encryption			70	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105	no data
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21	no data
💼 FedRAMP High Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)		1	13	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	25	no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	24	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43	no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	21	no data
💼 FedRAMP Low Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			13	no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25	no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21	no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			13	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			21	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-5(1) Authenticator Management _ Password-based Authentication			13	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8 Transmission Confidentiality and Integrity	5	8	25	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	23	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys			10	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23 Session Authenticity	5		15	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			14	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27	no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	28	no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		28	no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	28	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Enable In-Transit Encryption on an Existing Replication Group​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Enable In-Transit Encryption on an Existing Replication Group

From Command Line

policy.yaml

Linked Framework Sections