AWS ElastiCache Redis AUTH Token Disabled (CKV_AWS_31)

High Risk Infrastructure Security
awselasticacheredisauthenticationauth-tokenaccess-controlcacheterraformcloudformationcheckovckv-aws-31

What it is

A critical authentication vulnerability where Amazon ElastiCache Redis clusters are configured without Redis AUTH tokens, allowing unauthenticated access to cached data. This leaves sensitive cached information including session data, authentication tokens, user profiles, and business-critical data accessible to anyone who can reach the Redis cluster through network connectivity. Without AUTH protection, attackers who gain network access can execute arbitrary Redis commands and access all cached data.

# VULNERABLE: ElastiCache without AUTH token (CKV_AWS_31 violation)
resource "aws_elasticache_replication_group" "user_session_cache" {
  replication_group_id         = "user-sessions"
  description                  = "Redis cluster for user session storage"
  port                         = 6379
  parameter_group_name         = "default.redis7"
  node_type                    = "cache.r7g.large"
  num_cache_clusters           = 2
  automatic_failover_enabled   = true
  multi_az_enabled             = true
  
  # SECURITY ISSUE: Missing AUTH token configuration
  # No authentication required for Redis access
  # transit_encryption_enabled = false (default)
  # auth_token not configured
  
  subnet_group_name = aws_elasticache_subnet_group.cache_subnet_group.name
  security_group_ids = [aws_security_group.cache_sg.id]
  
  tags = {
    Environment = "production"
    Service     = "user-management"
    DataType    = "session-data"
  }
}

# VULNERABLE: CloudFormation without AUTH
Resources:
  UserSessionCache:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: user-sessions
      ReplicationGroupDescription: Redis cluster for user session storage
      Port: 6379
      CacheParameterGroupName: default.redis7
      CacheNodeType: cache.r7g.large
      NumCacheClusters: 2
      AutomaticFailoverEnabled: true
      MultiAZEnabled: true
      # MISSING: AuthToken and TransitEncryptionEnabled
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      SecurityGroupIds:
        - !Ref CacheSecurityGroup
      Tags:
        - Key: Environment
          Value: production
        - Key: Service
          Value: user-management
# SECURE: ElastiCache with AUTH token (CKV_AWS_31 compliant)
resource "aws_elasticache_replication_group" "user_session_cache" {
  replication_group_id         = "user-sessions"
  description                  = "Redis cluster for user session storage"
  port                         = 6379
  parameter_group_name         = "default.redis7"
  node_type                    = "cache.r7g.large"
  num_cache_clusters           = 2
  automatic_failover_enabled   = true
  multi_az_enabled             = true
  
  # Enable authentication and encryption
  transit_encryption_enabled   = true  # Required for AUTH token
  auth_token                   = random_password.redis_auth_token.result
  
  subnet_group_name = aws_elasticache_subnet_group.cache_subnet_group.name
  security_group_ids = [aws_security_group.cache_sg.id]
  
  tags = {
    Environment = "production"
    Service     = "user-management"
  }
}

# Generate secure AUTH token
resource "random_password" "redis_auth_token" {
  length  = 128
  special = false
}

# SECURE: CloudFormation with AUTH token
Resources:
  RedisAuthToken:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: elasticache/user-sessions/auth-token
      GenerateSecretString:
        SecretStringTemplate: '{}'
        GenerateStringKey: auth_token
        PasswordLength: 128
        ExcludeCharacters: '"@/\'

  UserSessionCache:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: user-sessions
      ReplicationGroupDescription: Redis cluster for user session storage
      Port: 6379
      CacheParameterGroupName: default.redis7
      CacheNodeType: cache.r7g.large
      NumCacheClusters: 2
      AutomaticFailoverEnabled: true
      MultiAZEnabled: true
      # Enable authentication and encryption
      TransitEncryptionEnabled: true
      AuthToken: !Sub '{{resolve:secretsmanager:${RedisAuthToken}:SecretString:auth_token}}'
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      SecurityGroupIds:
        - !Ref CacheSecurityGroup

💡 Why This Fix Works

The vulnerable examples show ElastiCache clusters created without AUTH tokens, violating CKV_AWS_31 and allowing unauthenticated access. The secure implementations enable AUTH tokens with transit encryption and store credentials securely in Secrets Manager.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

This Python code demonstrates the difference between vulnerable unauthenticated Redis connections and secure connections using AUTH tokens retrieved from AWS Secrets Manager with TLS encryption.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

These commands show how to verify AUTH token configuration, manage credentials through Secrets Manager, test connections, and monitor for authentication issues in ElastiCache clusters.

Why it happens

ElastiCache Redis replication groups are created using default settings that do not enable Redis AUTH. This commonly occurs when developers prioritize ease of connection over security, or when working with development environments where authentication seems unnecessary. AUTH tokens must be explicitly configured and require transit encryption to be enabled.

Root causes

Default ElastiCache Configuration Without Authentication

ElastiCache Redis replication groups are created using default settings that do not enable Redis AUTH. This commonly occurs when developers prioritize ease of connection over security, or when working with development environments where authentication seems unnecessary. AUTH tokens must be explicitly configured and require transit encryption to be enabled.

Missing AUTH Token Configuration in Infrastructure Code

Infrastructure as Code templates (Terraform, CloudFormation) define ElastiCache clusters without setting auth_token parameters or AuthToken properties. This often happens when copying basic examples that don't include security configurations, or when teams are unaware that Redis AUTH is available in ElastiCache.

Network Security Over Application Security

Teams rely solely on VPC security groups and network isolation for Redis protection without implementing application-level authentication. While network controls are important, they don't protect against lateral movement, compromised applications, or insider threats that may have network access to the Redis cluster.

Fixes

1

Enable Redis AUTH Token

Configure Redis AUTH by setting auth_token in Terraform or AuthToken in CloudFormation. This requires enabling transit_encryption_enabled = true since AUTH tokens are only supported with encryption in transit. Generate strong, random tokens and store them securely in AWS Secrets Manager for application access.

2

Implement Comprehensive ElastiCache Security

Enable both authentication and encryption for complete Redis protection. Configure auth_token with transit_encryption_enabled = true and at_rest_encryption_enabled = true. Use VPC security groups to restrict network access and implement principle of least privilege for Redis access.

3

Establish Token Management Procedures

Create procedures for secure token generation, rotation, and distribution to applications. Use AWS Secrets Manager to store AUTH tokens and implement automatic rotation policies. Document emergency access procedures and establish monitoring for authentication failures.

Detect This Vulnerability in Your Code

Sourcery automatically identifies aws elasticache redis auth token disabled (ckv_aws_31) and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities