Information disclosure due to disabled at-rest encryption on ElastiCache clusters

High Risk infrastructure-security
awselasticacheredisencryptiondata-at-restcacheterraforminfrastructure-security

What it is

AWS ElastiCache Redis clusters configured without at-rest encryption leave cached data and backup files unprotected on disk. This exposes sensitive cached information including session data, authentication tokens, user profiles, and business-critical data to unauthorized access if storage systems are compromised, lost, or improperly decommissioned.

# VULNERABLE: ElastiCache without at-rest encryption
resource "aws_elasticache_replication_group" "session_cache" {
  replication_group_id       = "session-cache"
  description                = "Redis cluster for session storage"
  port                       = 6379
  parameter_group_name       = "default.redis7"
  node_type                  = "cache.r7g.large"
  num_cache_clusters         = 2
  automatic_failover_enabled = true
  multi_az_enabled           = true
  
  # VULNERABLE: No at-rest encryption
  # at_rest_encryption_enabled defaults to false
  # Cached session data stored in plaintext
  
  subnet_group_name  = aws_elasticache_subnet_group.cache.name
  security_group_ids = [aws_security_group.cache.id]
  
  tags = {
    Environment = "production"
    Service     = "session-management"
  }
}
# SECURE: ElastiCache with at-rest encryption
resource "aws_elasticache_replication_group" "session_cache" {
  replication_group_id       = "session-cache"
  description                = "Redis cluster for session storage"
  port                       = 6379
  parameter_group_name       = "default.redis7"
  node_type                  = "cache.r7g.large"
  num_cache_clusters         = 2
  automatic_failover_enabled = true
  multi_az_enabled           = true
  
  # SECURE: Enable at-rest encryption
  at_rest_encryption_enabled = true
  kms_key_id                 = aws_kms_key.elasticache_key.arn
  
  # Enable in-transit encryption
  transit_encryption_enabled = true
  auth_token                 = random_password.cache_auth.result
  
  subnet_group_name  = aws_elasticache_subnet_group.cache.name
  security_group_ids = [aws_security_group.cache.id]
  
  tags = {
    Environment        = "production"
    Service            = "session-management"
    EncryptedAtRest    = "true"
    EncryptedInTransit = "true"
  }
}

# Customer-managed KMS key for encryption
resource "aws_kms_key" "elasticache_key" {
  description             = "KMS key for ElastiCache encryption"
  deletion_window_in_days = 7
  enable_key_rotation     = true
  
  tags = {
    Name    = "ElastiCache Encryption Key"
    Purpose = "elasticache-encryption"
  }
}

resource "random_password" "cache_auth" {
  length  = 32
  special = true
}

💡 Why This Fix Works

The vulnerable configuration omits the at_rest_encryption_enabled parameter (defaulting to false), leaving cached data unencrypted on disk and vulnerable to unauthorized access if storage is compromised. The secure version sets at_rest_encryption_enabled to true and uses a customer-managed KMS key, ensuring all cached data and backup files are encrypted at rest, providing protection against storage-level attacks and unauthorized access.

Why it happens

ElastiCache replication groups created without the at_rest_encryption_enabled parameter explicitly set to true. Since this defaults to false, cached data and backups are stored unencrypted on disk.

Root causes

Missing Encryption Flag in Configuration

ElastiCache replication groups created without the at_rest_encryption_enabled parameter explicitly set to true. Since this defaults to false, cached data and backups are stored unencrypted on disk.

Insecure Default Configuration

AWS ElastiCache defaults to no encryption at rest for backwards compatibility and ease of initial setup. Teams may not realize encryption is disabled unless they explicitly enable it, leaving data vulnerable.

Missing Infrastructure-as-Code Encryption Standards

Terraform or CloudFormation templates lack encryption configuration or security best practices, leading to deployment of unencrypted cache clusters in production environments.

Performance Over Security Priorities

Teams may disable or avoid encryption due to perceived performance overhead concerns, prioritizing cache performance over data protection without properly evaluating the minimal impact of modern encryption.

Incomplete Security Requirements Review

Encryption requirements for caching layers are overlooked during architecture design and deployment planning, especially when focusing primarily on application-level security controls.

Fixes

1

Enable At-Rest Encryption Parameter

Set at_rest_encryption_enabled to true on all ElastiCache replication groups in your Terraform or CloudFormation configurations. This ensures all cached data and backup files are encrypted on disk using AWS encryption.

2

Apply Encryption to All Production Caches

Review and update all production ElastiCache clusters to enable at-rest encryption. For existing unencrypted clusters, plan migration to new encrypted clusters as encryption cannot be enabled on existing clusters.

3

Use Customer-Managed KMS Keys

Specify a customer-managed KMS key using the kms_key_id parameter for enhanced control over encryption key management, rotation policies, and access auditing through CloudTrail logs.

4

Enforce Encryption with AWS Config Rules

Implement AWS Config rules like elasticache-replication-group-encrypted-at-rest to automatically detect and flag any ElastiCache clusters deployed without encryption, ensuring continuous compliance.

5

Enable Comprehensive Encryption Protection

Enable both at-rest encryption (at_rest_encryption_enabled) and in-transit encryption (transit_encryption_enabled) for defense-in-depth, protecting cached data both on disk and during network transmission.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure due to disabled at-rest encryption on elasticache clusters and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities