Amazon ElastiCache is an Amazon Web Services (AWS) service that provides a high-performance, scalable, and cost-effective caching solution for distributing an in-memory data store or cache environment in the cloud. It retrieves data from high-throughput and low-latency, in-memory data stores. This functionality makes it a popular choice for real-time use cases such as caching, session stores, gaming, geo-spatial services, real-time analytics, and queuing. ElastiCache offers Redis and Memcached data stores, both of which provide sub-millisecond response times.
Data encryption helps prevent unauthorized users from reading sensitive data available on your Redis clusters and their associated cache storage systems. This includes data saved to persistent media, known as data at rest, and data that can be intercepted as it travels through the network between clients and cache servers, known as data in transit.
You can enable at-rest encryption for ElastiCache for Redis when you create a replication group, by setting the AtRestEncryptionEnabled parameter to true. When this parameter is enabled, it encrypts the disk during sync, backup, and swap operations, and encrypts backups stored in Amazon Simple Storage Service (Amazon S3). You cannot enable at-rest encryption on an existing replication group. When you create a replication group, you can enable encryption at rest in these two ways:
By choosing the Default option, which uses service-managed encryption at rest.
By using a customer managed key and providing the key ID or Amazon Resource Name (ARN) from AWS Key Management Service (AWS KMS).
This pattern provides a security control that monitors for API calls and generates an Amazon CloudWatch Events event on the CreateReplicationGroup operation. This event calls an AWS Lambda function, which runs a Python script. The function gets the replication group ID from the event JSON input, and performs the following checks to determine whether there's a security violation:
Checks if the AtRestEncryptionEnabled key exists.
If AtRestEncryptionEnabled exists, checks the value to see if it is true.
If the AtRestEncryptionEnabled value is set to false, sets a variable that tracks violations and sends a violation message to an email address you provide, by using an Amazon Simple Notification Service (Amazon SNS) notification.
