Encryption at Rest - Architecting for HIPAA Security and Compliance on Amazon Web Services

Encryption at Rest

Amazon ElastiCache for Redis provides data encryption for its cluster to help protect the data at rest. When customers enable encryption at-rest for a cluster at the time of creation, Amazon ElastiCache for Redis encrypts data on disk and automated Redis backups. Customer data on disk is encrypted using hardware accelerated Advanced Encryption Standard (AES)-512 symmetric keys. Redis backups are encrypted through Amazon S3-managed encryption keys (SSE-S3). A S3 bucket with server-side encryption enabled will encrypt the data using hardware-accelerated Advanced Encryption Standard (AES)-256 symmetric keys before saving it in the bucket.

For more details on Amazon S3-managed encryption keys (SSE-S3), see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3). On an ElastiCache Redis cluster (single or multi-node) running with encryption, data stored at-rest is encrypted consistent with the Guidance in effect at the time of publication of this whitepaper. This includes data on disk and automated backups in S3 bucket. Because the Guidance might be updated, customers should continue to evaluate and determine whether Amazon ElastiCache for Redis encryption satisfies their compliance and regulatory requirements. For more information about encryption at-rest using Amazon ElastiCache for Redis, see What Is Amazon ElastiCache for Redis?