ElastiCache data should be encrypted at rest
- GG_ID: GG_IAC_0046
- Severity: HIGH
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
Description#
Amazon ElastiCache for Redis is a web service that makes it easy to set up, manage, and scale a distributed in-memory data store or cache environment in the cloud. It provides a high-performance and scalable caching solution.
The data should always be encrypted at rest to protect the data if accesses are compromised.
Impact#
Not encrypting data at rest could lead to data leak in case of an attack.
Remediation guidelines#
Enable at-rest encryption for ElastiCache. Note that this will recreate the ElastiCache replication group and could lead to data loss. If losing this data is not acceptable, backups should be used. See https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html#at-rest-encryption-enable for more details