lacework-global-716

AWS ElastiCache Replication Group encryption-at-rest should use a Customer-Managed Key Management Service (KMS) Key

Description

As a security best practice, use a customer-managed KMS key instead of the default Key Management Service (KMS) key for encryption, to gain the ability to rotate the key according to your own policies, delete the key, and control access to the key via KMS key policies and Identity and Access Management (IAM) policies.

Remediation

You have limited options for Modifications to Replication Groups.

The solution for replication groups which are using the AWS default key for encryption is to recreate and restore from a backup of the existing replication group. The replication group has encryption-at-rest enabled and an associated customer-managed KMS key upon recreation.

See AWS documentation link for detailed guidance.

References

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html#using-customer-managed-keys-for-elasticache-security
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html#at-reset-encryption-enable-existing-cluster

AWS ElastiCache Replication Group encryption-at-rest should use a Customer-Managed Key Management Service (KMS) Key​

Description​

Remediation​

References​

AWS ElastiCache Replication Group encryption-at-rest should use a Customer-Managed Key Management Service (KMS) Key

Description

Remediation

References