lacework-global-716

AWS ElastiCache Replication Group encryption-at-rest should use a Customer Managed Key

Description

As a security best practice, a Customer Managed Key should be used instead of the default KMS key for encryption, to gain the ability to rotate the key according to your own policies, delete the key, and control access to the key via KMS key policies and IAM policies.

Remediation

Modifications to Replication Groups is limited.

Replication groups which are using the AWS default key for encryption need to be recreated and restored from a backup of the existing replication group. Upon recreation, encryption-at-rest should be enabled and associated with a Customer Managed Key.

See AWS documentation here for detailed guidance.

AWS ElastiCache Replication Group encryption-at-rest should use a Customer Managed Key​

Description​

Remediation​

AWS ElastiCache Replication Group encryption-at-rest should use a Customer Managed Key

Description

Remediation