Authenticating with the Redis AUTH command
Note
Redis AUTH has been superseded by Role-Based Access Control (RBAC). All serverless caches must use RBAC for authentication.
Redis authentication tokens, or passwords, enable Redis to require a password before allowing clients to run commands, thereby improving data security. Redis AUTH is available for self-designed clusters only.
Topics
Overview of AUTH in ElastiCache for Redis
When you use Redis AUTH with your ElastiCache for Redis cluster, there are some refinements.
In particular, be aware of these AUTH token, or password, constraints when using AUTH with ElastiCache for Redis:
-
Tokens, or passwords, must be 16–128 printable characters.
-
Nonalphanumeric characters are restricted to (!, &, #, $, ^, <, >, -).
-
AUTH can only be enabled for encryption in-transit enabled ElastiCache for Redis clusters.
To set up a strong token, we recommend that you follow a strict password policy, such as requiring the following:
-
Tokens, or passwords, must include at least three of the following character types:
-
Uppercase characters
-
Lowercase characters
-
Digits
-
Nonalphanumeric characters (
!
,&
,#
,$
,^
,<
,>
,-
)
-
-
Tokens, or passwords, must not contain a dictionary word or a slightly modified dictionary word.
-
Tokens, or passwords, must not be the same as or similar to a recently used token.
Applying authentication to an ElastiCache for Redis cluster
You can require that users enter a token (password) on a token-protected Redis server. To do
this, include the parameter --auth-token
(API: AuthToken
) with
the correct token when you create your replication group or cluster. Also include it
in all subsequent commands to the replication group or cluster.
The following AWS CLI operation creates a replication group with encryption in transit (TLS)
enabled and the AUTH token
. Replace the
subnet group This-is-a-sample-token
sng-test
with a subnet group that exists.
Key parameters
-
--engine
– Must beredis
. -
--engine-version
– Must be 3.2.6, 4.0.10, or later. -
--transit-encryption-enabled
– Required for authentication and HIPAA eligibility. -
--auth-token
– Required for HIPAA eligibility. This value must be the correct token for this token-protected Redis server. -
--cache-subnet-group
– Required for HIPAA eligibility.
For Linux, macOS, or Unix:
aws elasticache create-replication-group \ --replication-group-id
authtestgroup
\ --replication-group-descriptionauthtest
\ --engineredis
\ --cache-node-typecache.m4.large
\ --num-node-groups1
\ --replicas-per-node-group2
\ --transit-encryption-enabled \ --auth-tokenThis-is-a-sample-token
\ --cache-subnet-groupsng-test
For Windows:
aws elasticache create-replication-group ^ --replication-group-id
authtestgroup
^ --replication-group-descriptionauthtest
^ --engineredis
^ --cache-node-typecache.m4.large
^ --num-node-groups1
^ --replicas-per-node-group2
^ --transit-encryption-enabled ^ --auth-tokenThis-is-a-sample-token
^ --cache-subnet-groupsng-test
Modifying the AUTH token on an existing ElastiCache for Redis cluster
To make it easier to update your authentication, you can modify the AUTH token used on an ElastiCache for Redis cluster. You can make this modification if the engine version is 5.0.6 or higher and if ElastiCache for Redis has encryption in transit enabled.
Modifying the auth token supports two strategies: ROTATE and SET. The ROTATE strategy
adds an additional AUTH token to the server while retaining the
previous token. The SET strategy updates the server to support just a single
AUTH token. Make these modification calls with the
--apply-immediately
parameter to apply changes immediately.
Rotating the AUTH token
To update a Redis server with a new AUTH token, call the
ModifyReplicationGroup
API with the --auth-token
parameter as the new auth token and the --auth-token-update-strategy
with the value ROTATE. After the modification is complete, the cluster will support
the previous AUTH token in addition to the one specified in the
auth-token
parameter.
Note
If you do not configure the AUTH token before, then once the modification is complete, the cluster will support no AUTH token in addition to the one specified in the auth-token parameter.
If this modification is performed on a server that already supports two AUTH tokens, the oldest AUTH token will also be removed during this operation, allowing a server to support up to two most recent AUTH tokens at a given time.
At this point, you can proceed by updating the client to use the latest AUTH token. After the clients are updated, you can use the SET strategy for AUTH token rotation (explained in the following section) to exclusively start using the new token.
The following AWS CLI operation modifies a replication group to rotate the
AUTH token
.This-is-the-rotated-token
For Linux, macOS, or Unix:
aws elasticache modify-replication-group \ --replication-group-id
authtestgroup
\ --auth-tokenThis-is-the-rotated-token
\ --auth-token-update-strategy ROTATE \ --apply-immediately
For Windows:
aws elasticache modify-replication-group ^ --replication-group-id
authtestgroup
^ --auth-tokenThis-is-the-rotated-token
^ --auth-token-update-strategy ROTATE ^ --apply-immediately
Setting the AUTH token
To update a Redis server with two AUTH tokens to support a
single AUTH token, call the ModifyReplicationGroup
API operation. Call ModifyReplicationGroup
with the
--auth-token
parameter as the new AUTH token and
the --auth-token-update-strategy
parameter with the value SET. The
auth-token
parameter must be the same value as the last
AUTH token rotated. After the modification is complete, the
Redis server supports only the AUTH token specified in the
auth-token
parameter.
The following AWS CLI operation modifies a replication group to set the
AUTH token to
.This-is-the-set-token
For Linux, macOS, or Unix:
aws elasticache modify-replication-group \ --replication-group-id
authtestgroup
\ --auth-tokenThis-is-the-set-token
\ --auth-token-update-strategy SET \ --apply-immediately
For Windows:
aws elasticache modify-replication-group ^ --replication-group-id
authtestgroup
^ --auth-tokenThis-is-the-set-token
^ --auth-token-update-strategy SET ^ --apply-immediately
Enabling authentication on an existing ElastiCache for Redis cluster
To enable authentication on an existing Redis server, call the
ModifyReplicationGroup
API operation. Call
ModifyReplicationGroup
with the --auth-token
parameter
as the new token and the --auth-token-update-strategy
with the value
ROTATE.
After the modification is complete, the cluster supports the
AUTH token specified in the auth-token
parameter
in addition to supporting connecting without authentication. Enabling authentication
is only supported on Redis servers with encryption in transit (TLS) enabled.
Migrating from RBAC to Redis AUTH
If you are authenticating users with Redis Role-Based Access Control (RBAC) as described in Authenticating users with role-based access control (RBAC) and want to migrate to Redis AUTH, use the following procedures. You can migrate using either console or CLI.
To migrate from RBAC to Redis AUTH using the console
Sign in to the AWS Management Console and open the ElastiCache console at https://console.aws.amazon.com/elasticache/
. -
From the list in the upper-right corner, choose the AWS Region where the cluster that you want to modify is located.
-
In the navigation pane, choose the engine running on the cluster that you want to modify.
A list of the chosen engine's clusters appears.
-
In the list of clusters, for the cluster that you want to modify, choose its name.
-
For Actions, choose Modify.
The Modify window appears.
-
For Access control, choose Redis AUTH default user access.
-
Under Redis AUTH token, set a new token.
-
Choose Preview changes and then on the next screen, Modify.
To migrate from RBAC to Redis AUTH using the AWS CLI
-
Use one of the following commands.
For Linux, macOS, or Unix:
aws elasticache modify-replication-group \ --replication-group-id test \ --remove-user-groups \ --auth-token password \ --auth-token-update-strategy SET \ --apply-immediately
For Windows:
aws elasticache modify-replication-group ^ --replication-group-id test ^ --remove-user-groups ^ --auth-token password ^ --auth-token-update-strategy SET ^ --apply-immediately
For more information on working with AUTH, see AUTH
token
Note
If you need to disable access control on an ElastiCache Cluster, see Disabling access control on an ElastiCache Redis cache