AWS ElastiCache At-Rest Encryption Disabled

High Risk Infrastructure Security
awselasticacheredisencryptiondata-at-restcachesession-dataterraformcloudformation

What it is

A critical security vulnerability where Amazon ElastiCache Redis clusters are configured without at-rest encryption, leaving cached data, snapshots, and backups unprotected. This exposes sensitive application data stored in Redis including session tokens, user data, application state, and cached database queries to unauthorized access if storage systems are compromised. Without encryption, data remains in plaintext during disk operations, memory swaps, and backup storage to S3.

# VULNERABLE: ElastiCache cluster without at-rest encryption
resource "aws_elasticache_replication_group" "redis_cache" {
  replication_group_id = "app-cache"
  description          = "Redis cluster for application caching"
  node_type            = "cache.r6g.large"
  num_cache_clusters   = 2
  
  # VULNERABLE: Missing at_rest_encryption_enabled
  # Data stored in plaintext on disk
  
  automatic_failover_enabled = true
  
  tags = {
    Environment = "production"
  }
}

# VULNERABLE: CloudFormation without encryption
Resources:
  AppCacheReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: app-cache
      CacheNodeType: cache.r6g.large
      NumCacheClusters: 2
      # VULNERABLE: Missing AtRestEncryptionEnabled: true
      AutomaticFailoverEnabled: true
      Tags:
        - Key: Environment
          Value: production
# SECURE: ElastiCache cluster with at-rest encryption enabled
resource "aws_elasticache_replication_group" "redis_cache" {
  replication_group_id = "app-cache"
  description          = "Redis cluster for application caching"
  node_type            = "cache.r6g.large"
  num_cache_clusters   = 2
  
  # SECURE: Enable at-rest encryption
  at_rest_encryption_enabled = true
  kms_key_id                 = aws_kms_key.elasticache.arn
  
  # Also enable transit encryption and auth
  transit_encryption_enabled = true
  auth_token                 = var.redis_auth_token
  
  automatic_failover_enabled = true
  
  tags = {
    Environment = "production"
  }
}

# KMS key for ElastiCache encryption
resource "aws_kms_key" "elasticache" {
  description         = "KMS key for ElastiCache encryption"
  enable_key_rotation = true
}

# SECURE: CloudFormation with encryption enabled
Resources:
  ElastiCacheKey:
    Type: AWS::KMS::Key
    Properties:
      Description: KMS key for ElastiCache encryption
      EnableKeyRotation: true

  AppCacheReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: app-cache
      CacheNodeType: cache.r6g.large
      NumCacheClusters: 2
      # SECURE: Enable at-rest encryption
      AtRestEncryptionEnabled: true
      KmsKeyId: !Ref ElastiCacheKey
      TransitEncryptionEnabled: true
      AutomaticFailoverEnabled: true
      Tags:
        - Key: Environment
          Value: production

💡 Why This Fix Works

The vulnerable examples show ElastiCache clusters created without at-rest encryption, leaving cached data unprotected. The secure alternatives demonstrate comprehensive encryption configuration including at-rest encryption with KMS keys, transit encryption, authentication tokens, secure parameter groups, monitoring, and proper access controls.

Why it happens

Development teams create ElastiCache Redis clusters without enabling at-rest encryption, often due to performance concerns or lack of awareness about security requirements. Encryption is disabled by default and must be explicitly enabled, leading many caches to operate with unprotected data. This commonly occurs when teams prioritize rapid deployment over security controls.

Root causes

ElastiCache Replication Group Without Encryption Configuration

Development teams create ElastiCache Redis clusters without enabling at-rest encryption, often due to performance concerns or lack of awareness about security requirements. Encryption is disabled by default and must be explicitly enabled, leading many caches to operate with unprotected data. This commonly occurs when teams prioritize rapid deployment over security controls.

Infrastructure Code Missing Encryption Settings

Terraform and CloudFormation templates that define ElastiCache replication groups without the at_rest_encryption_enabled property or AtRestEncryptionEnabled setting. This oversight often happens when using basic configurations or when copying examples that don't include security best practices. Teams may overlook encryption when migrating from development to production environments.

Fixes

1

Enable At-Rest Encryption for Redis Clusters

Configure at-rest encryption by setting at_rest_encryption_enabled = true in Terraform or AtRestEncryptionEnabled: true in CloudFormation. Use customer-managed KMS keys for additional control over encryption keys and compliance requirements. Note that enabling encryption may require cluster replacement depending on the configuration.

2

Implement Comprehensive Cache Security

Beyond at-rest encryption, enable transit encryption, authentication tokens (AUTH), and network isolation. Use Redis AUTH tokens to prevent unauthorized access and configure VPC security groups to restrict network access. Implement proper key rotation and access logging for cache operations.

3

Monitor Cache Security Configuration

Set up CloudWatch monitoring and alerts to track encryption status and security configuration changes. Create compliance checks to ensure all production caches have encryption enabled. Implement automated scanning to detect unencrypted cache clusters and enforce security policies across environments.

Detect This Vulnerability in Your Code

Sourcery automatically identifies aws elasticache at-rest encryption disabled and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities