Monitor Amazon ElastiCache clusters for at-rest encryption

Environment: Production	Technologies: Security, identity, compliance; Databases; Infrastructure; CloudNative	Workload: Open-source
AWS services: Amazon SNS; Amazon CloudWatch; Amazon ElastiCache

Summary

Amazon ElastiCache is an Amazon Web Services (AWS) service that provides a high-performance, scalable, and cost-effective caching solution for distributing an in-memory data store or cache environment in the cloud. It retrieves data from high-throughput and low-latency, in-memory data stores. This functionality makes it a popular choice for real-time use cases such as caching, session stores, gaming, geo-spatial services, real-time analytics, and queuing. ElastiCache offers Redis and Memcached data stores, both of which provide sub-millisecond response times.

Data encryption helps prevent unauthorized users from reading sensitive data available on your Redis clusters and their associated cache storage systems. This includes data saved to persistent media, known as data at rest, and data that can be intercepted as it travels through the network between clients and cache servers, known as data in transit.

You can enable at-rest encryption for ElastiCache for Redis when you create a replication group, by setting the AtRestEncryptionEnabled parameter to true. When this parameter is enabled, it encrypts the disk during sync, backup, and swap operations, and encrypts backups stored in Amazon Simple Storage Service (Amazon S3). You cannot enable at-rest encryption on an existing replication group. When you create a replication group, you can enable encryption at rest in these two ways:

• By choosing the Default option, which uses service-managed encryption at rest.

• By using a customer managed key and providing the key ID or Amazon Resource Name (ARN) from AWS Key Management Service (AWS KMS).

This pattern provides a security control that monitors for API calls and generates an Amazon CloudWatch Events event on the CreateReplicationGroup operation. This event calls an AWS Lambda function, which runs a Python script. The function gets the replication group ID from the event JSON input, and performs the following checks to determine whether there's a security violation:

• Checks if the AtRestEncryptionEnabled key exists.

• If AtRestEncryptionEnabled exists, checks the value to see if it is true.

• If the AtRestEncryptionEnabled value is set to false, sets a variable that tracks violations and sends a violation message to an email address you provide, by using an Amazon Simple Notification Service (Amazon SNS) notification.

Prerequisites and limitations

Prerequisites

• An active AWS account.

• An S3 bucket to upload the provided Lambda code.

• An email address where you would like to receive violation notifications.

• ElastiCache logging enabled, for access to all the API logs.

Limitations

• This detective control is regional and must be deployed in each AWS Region that you want to monitor.

• The control supports replication groups that are running in a virtual private cloud (VPC).

• The control supports replication groups that are running the following node types:

  • R5, R4, R3

  • M5, M4, M3

  • T3, T2

Product versions

• ElastiCache for Redis version 3.2.6 or later

Architecture

Workflow architecture

Automation and scale

• If you are using AWS Organizations, you can use AWS Cloudformation StackSets to deploy this template in multiple accounts that you want to monitor.

Tools

AWS services

• Amazon ElastiCache – Amazon ElastiCache makes it easy to set up, manage, and scale distributed in-memory cache environments in the AWS Cloud. It provides a high performance, resizable, and cost-effective in-memory cache, while removing complexity associated with deploying and managing a distributed cache environment. ElastiCache works with both the Redis and Memcached engines.

• AWS CloudFormation – AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.

• AWS Cloudwatch Events – Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources. CloudWatch Events becomes aware of operational changes as they occur and takes corrective action as necessary, by sending messages to respond to the environment, activating functions, making changes, and capturing state information.

• AWS Lambda – AWS Lambda is a compute service that supports running code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically from a few requests per day to thousands per second. You pay only for the compute time that you consume—there is no charge when your code is not running. 

• Amazon SNS – Amazon Simple Notification Service (Amazon SNS) coordinates and manages the sending of messages between publishers and clients, including web servers and email addresses. Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages.

Code

This pattern includes an attachment with two files:

• ElasticCache-EncryptionAtRest.zip is a compressed file that includes the security control (Lambda code).

• elasticache_encryption_at_rest.yml is a CloudFormation template that deploys the security control.

See the Epics section for information about how to use these files.

Epics

Deploy the security control

Task	Description	Skills required
Upload the code to an S3 bucket.	Create a new S3 bucket or use an existing S3 bucket to upload the attached ElastiCache-EncryptionAtRest.zip file (Lambda code). This bucket must be in the same AWS Region as the resources that you want to evaluate.	Cloud architect
Deploy the CloudFormation template.	Open the Cloudformation console in the same AWS Region as the S3 bucket, and deploy the elasticache_encryption_at_rest.yml file that's provided in the attachment. In the next epic, provide values for the template parameters.	Cloud architect

Complete the parameters in the CloudFormation template

Task	Description	Skills required
Provide the S3 bucket name.	Enter the name of the S3 bucket that you created or selected in the first epic. This S3 bucket contains the .zip file for the Lambda code and must be in the same AWS Region as the CloudFormation template and the resource that will be evaluated.	Cloud architect
Provide the S3 key.	Provide the location of the Lambda code .zip file in your S3 bucket, without leading slashes (for example, ElasticCache-EncryptionAtRest.zip or controls/ElasticCache-EncryptionAtRest.zip).	Cloud architect
Provide an email address.	Provide an active email address where you want to receive violation notifications.	Cloud architect
Specify a logging level.	Specify the logging level and verbosity. Info designates detailed informational messages on the application’s progress and should be used only for debugging. Error designates error events that could still allow the application to continue running. Warning designates potentially harmful situations.	Cloud architect

Confirm the subscription

Task	Description	Skills required
Confirm the email subscription.	When the CloudFormation template deploys successfully, it sends a subscription email message to the email address you provided. To receive notifications, you must confirm this email subscription.	Cloud architect

Related resources

• Creating a stack on the AWS CloudFormation console (AWS CloudFormation documentation)

• At-Rest Encryption in ElastiCache for Redis (Amazon ElastiCache documentation)

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip