At-Rest Encryption in ElastiCache
To help keep your data secure, Amazon ElastiCache and Amazon S3 provide different ways to restrict access to data in your cache. For more information, see Amazon VPCs and ElastiCache security and Identity and Access Management for Amazon ElastiCache.
-
Disk during sync and swap operations
ElastiCache offers default (service managed) encryption at rest, as well as ability to use your own symmetric customer managed AWS KMS keys in AWS Key Management Service (KMS). When the cache is backed up, under encryption options, choose whether to use the default encryption key or a customer-managed key. For more information, see Enabling At-Rest Encryption.
Note
The default (service managed) encryption is the only option available in the GovCloud (US) Regions.
At-rest encryption can be enabled on a cache only when it is created. Because there is some processing needed to encrypt and decrypt the data, enabling at-rest encryption can have a performance impact during these operations. You should benchmark your data with and without at-rest encryption to determine the performance impact for your use cases.
Topics
At-Rest Encryption Conditions
The following constraints on ElastiCache at-rest encryption should be kept in mind when you plan your implementation of ElastiCache encryption at-rest:
At-rest encryption is supported only on serverless caches.
The option to use customer managed key for encryption at rest is not available in AWS GovCloud (us-gov-east-1 and us-gov-west-1) regions.
Using customer managed keys from AWS KMS
ElastiCache supports symmetric customer managed AWS KMS keys (KMS key) for encryption at rest. Customer-managed KMS keys are encryption keys that you create, own and manage in your AWS account. For more information, see AWS KMS keys in the AWS Key Management Service Developer Guide. The keys must be created in AWS KMS before they can be used with ElastiCache.
To learn how to create AWS KMS root keys, see Creating Keys in the AWS Key Management Service Developer Guide.
ElastiCache allows you to integrate with AWS KMS. For more information, see Using Grants in the AWS Key Management Service Developer Guide. No customer action is needed to enable Amazon ElastiCache integration with AWS KMS.
The kms:ViaService
condition key limits use of an AWS KMS key (KMS key) to requests from specified AWS services. To use kms:ViaService
with ElastiCache, include both ViaService names in the condition key value:
elasticache.AWS_region.amazonaws.com
and dax.AWS_region.amazonaws.com
. For more information, see
kms:ViaService.
You can use AWS CloudTrail to track the requests that Amazon ElastiCache sends to AWS Key Management Service on your behalf. All API calls to AWS Key Management Service related to customer managed keys have corresponding CloudTrail logs. You can also see the grants that ElastiCache creates by calling the ListGrants KMS API call.
If you delete the key or disable the key and revoke grants for the key that you used to encrypt a cache, the cache becomes irrecoverable. In other words, it cannot be modified or recovered after a hardware failure. AWS KMS deletes root keys only after a waiting period of at least seven days. After the key is deleted, you can use a different customer managed key to create a backup for archival purposes.
Automatic key rotation preserves the properties of your AWS KMS root keys, so the rotation has no effect on your ability to access your ElastiCache data. Encrypted Amazon ElastiCache caches don't support manual key rotation, which involves creating a new root key and updating any references to the old key. To learn more, see Rotating AWS KMS keys in the AWS Key Management Service Developer Guide.
Encrypting an ElastiCache cache using KMS key requires one grant per cache. This grant is used throughout the lifespan of the cache.
For more information on AWS KMS grants and limits, see Limits in the AWS Key Management Service Developer Guide.
Enabling At-Rest Encryption
All serverless caches have at-rest encryption enabled.
You can enable at-rest encryption when you create an ElastiCache cache. You can do so using the AWS Management Console, the AWS CLI, or the ElastiCache API.
When creating a cache, you can pick one of the following options:
-
Default – This option uses service managed encryption at rest.
-
Customer managed key – This option allows you to provide the Key ID/ARN from AWS KMS for encryption at rest.
To learn how to create AWS KMS root keys, see Create Keys in the AWS Key Management Service Developer Guide
Enabling At-Rest Encryption Using the AWS Management Console
All serverless caches have at-rest encryption enabled. By default, an AWS-owned KMS key is used to encrypt data. To choose your own AWS KMS key, make the following selections:
Expand the Default settings section.
Choose Customize default settings under Default settings section.
Choose Customize your security settings under Security section.
Choose Customer managed CMK under Encryption key setting.
Select a key under AWS KMS key setting.