Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled

In order to protect sensitive data, AWS ElastiCache Redis clusters should be encrypted rest. Encryption of data at rest prevents unauthorized access to your sensitive data stored on AWS ElastiCache Redis clusters and associated cache storage.

Risk Level: High
Cloud Entity: Amazon ElastiCache
CloudGuard Rule ID: D9.AWS.CRY.31
Category: Database


ElastiCache where engine='redis' should have atRestEncryptionEnabled=true


From Portal
AWS ElastiCache Redis cluster at-rest encryption can be set only at the time of the creation of the cluster. To fix this issue, create a new cluster with at-rest encryption, migrate all required ElastiCache Redis cluster data from the unencrypted cluster to the new cluster, and then delete the old cluster.

To create new ElastiCache Redis cluster with at-rest encryption set, perform the following:

  1. Sign in on the AWS console
  2. In the console, select the specific region
  3. Navigate to ElastiCache Dashboard
  4. Click Redis
  5. Click 'Create' button
  6. On the 'Create your Amazon ElastiCache cluster' page:
    a. Select 'Redis' cache engine type.
    b. Enter a name for the new cache cluster
    c. Select Redis engine version from 'Engine version compatibility' dropdown list.
    Note: As of July 2018, In-transit encryption can be enabled only for AWS ElastiCache clusters with Redis engine version 3.2.6 and 4.0.10.
    d. Click 'Advanced Redis settings' to expand the cluster advanced settings panel
    e. Select 'Encryption at-rest' checkbox to enable encryption along with other necessary parameters
  7. Click 'Create' button to launch your new ElastiCache Redis cluster

To delete reported ElastiCache Redis cluster, perform the following:

  1. Sign in on the AWS console
  2. In the console, select the specific region
  3. Navigate to ElastiCache Dashboard
  4. Click Redis
  5. Select reported Redis cluster
  6. Click 'Delete' button
  7. In the 'Delete Cluster' dialog box, if you want a backup for your cluster select 'Yes' from the 'Create final backup' dropdown menu, provide a name for the cluster backup, then click 'Delete'.

From TF
resource "aws_elasticache_replication_group" "default"{
replication_group_id = "default-1"

  • at_rest_encryption_enabled = true

From Command Line
Enabling At-Rest Encryption on a Redis (Cluster Mode Disabled) cluster.

aws elasticache create-replication-group --replication-group-id GROUP_ID --replication-group-description GROUP_DESCRIPTION --cache-node-type NODE_TYPE --engine redis --at-rest-encryption-enabled --num-cache-clusters VALUE

Enabling At-Rest Encryption on a Cluster for Redis (Cluster Mode Enabled).

aws elasticache create-replication-group --replication-group-id GROUP_ID --replication-group-description GROUP_DESCRIPTION --num-cache-clusters VALUE --cache-node-type NODE_TYPE --engine redis --engine-version VALUE --at-rest-encryption-enabled --cache-parameter-group PARAMETER_GROUP


  1. https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-replication-group.html

Amazon ElastiCache

Amazon ElastiCache offers fully managed Redis and Memcached. Seamlessly deploy, operate, and scale popular open source compatible in-memory data stores. Build data-intensive apps or improve the performance of your existing apps by retrieving data from high throughput and low latency in-memory data stores. Amazon ElastiCache is a popular choice for Gaming, Ad-Tech, Financial Services, Healthcare, and IoT apps.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0