Skip to main content


AWS ElastiCache Replication Group encryption-at-rest should use a Customer Managed Key


As a security best practice, a Customer Managed Key should be used instead of the default KMS key for encryption, to gain the ability to rotate the key according to your own policies, delete the key, and control access to the key via KMS key policies and IAM policies.


Modifications to Replication Groups is limited.

Replication groups which are using the AWS default key for encryption need to be recreated and restored from a backup of the existing replication group. Upon recreation, encryption-at-rest should be enabled and associated with a Customer Managed Key.

See AWS documentation here for detailed guidance.