lacework-global-716
AWS ElastiCache Replication Group encryption-at-rest should use a Customer-Managed Key Management Service (KMS) Key
Description
As a security best practice, use a customer-managed KMS key instead of the default Key Management Service (KMS) key for encryption, to gain the ability to rotate the key according to your own policies, delete the key, and control access to the key via KMS key policies and Identity and Access Management (IAM) policies.
Remediation
You have limited options for Modifications to Replication Groups.
The solution for replication groups which are using the AWS default key for encryption is to recreate and restore from a backup of the existing replication group. The replication group has encryption-at-rest enabled and an associated customer-managed KMS key upon recreation.
See AWS documentation link for detailed guidance.
References
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html#using-customer-managed-keys-for-elasticache-security
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html#at-reset-encryption-enable-existing-cluster