Skip to main content

More Info:

This rule checks whether Amazon ElastiCache replication groups have Redis AUTH enabled. Redis AUTH provides authentication and access control mechanisms to secure ElastiCache clusters. The rule is marked as non-compliant for an ElastiCache replication group if the Redis version of its nodes is below 6 (since Version 6+ uses Redis ACLs) and the ‘AuthToken’ parameter is missing or is empty/null.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration of “Auth Should Be Enabled ElastiCache Replication Groups” for AWS ElasticSearch using the AWS console, follow these steps:
  1. Login to AWS Console: Go to the AWS Management Console and login to your AWS account.
  2. Navigate to Amazon Elasticsearch Service: From the AWS Management Console, navigate to the Amazon Elasticsearch Service by typing “Elasticsearch” in the search bar and selecting the Elasticsearch service.
  3. Select the Elasticsearch Domain: Select the Elasticsearch domain for which you want to enable authentication.
  4. Click on the “Modify” Button: Click on the “Modify” button at the top of the Elasticsearch domain dashboard.
  5. Scroll down to the “Advanced security options” Section: Scroll down the page to find the “Advanced security options” section.
  6. Enable Auth: Under the “Advanced security options” section, you will find the “Require HTTPS” and “Enable Auth” options. Check the “Enable Auth” checkbox to enable authentication for the Elasticsearch domain.
  7. Configure Auth Settings: Configure the authentication settings as per your requirements. You can choose to use AWS Identity and Access Management (IAM) roles or configure a custom authentication mechanism.
  8. Save Changes: Once you have configured the authentication settings, scroll to the bottom of the page and click on the “Submit” button to save the changes.
  9. Monitor the Status: The modification process may take some time to complete. Monitor the status of the modification from the Elasticsearch domain dashboard.
  10. Verify Authentication: Once the modification is complete, verify that authentication is enabled for the Elasticsearch domain by trying to access the domain and providing the necessary credentials.
By following these steps, you can remediate the misconfiguration of “Auth Should Be Enabled ElastiCache Replication Groups” for AWS ElasticSearch using the AWS console.

To remediate the misconfiguration of Auth not being enabled in ElastiCache replication groups for AWS ElasticSearch using AWS CLI, you can follow these steps:
  1. Open your terminal or command prompt.
  2. Use the following AWS CLI command to enable Auth for your ElastiCache replication group: 
aws elasticache modify-replication-group --replication-group-id <your-replication-group-id> --auth-token-enabled
Replace <your-replication-group-id> with the actual ID of your ElastiCache replication group.
  1. Verify the changes by describing the replication group using the following command:
aws elasticache describe-replication-groups --replication-group-id <your-replication-group-id>
Replace <your-replication-group-id> with the actual ID of your ElastiCache replication group.
  1. Check the output to ensure that Auth is now enabled for your ElastiCache replication group.
By following these steps, you should be able to successfully remediate the misconfiguration of Auth not being enabled in ElastiCache replication groups for AWS ElasticSearch using AWS CLI.
To remediate the misconfiguration of enabling Auth for ElastiCache Replication Groups in AWS, you can use the AWS Boto3 Python SDK to interact with the AWS API. Here are the step-by-step instructions to enable Auth for ElastiCache Replication Groups in AWS using Python:
  1. Install the Boto3 library if you haven’t already:
pip install boto3
  1. Create a Python script with the following code snippet to enable Auth for ElastiCache Replication Groups:
import boto3

# Initialize the ElastiCache client
client = boto3.client('elasticache')

# Specify the Replication Group Id for which you want to enable Auth
replication_group_id = 'your_replication_group_id'

# Enable Auth for the specified Replication Group
response = client.modify_replication_group(
    ReplicationGroupId=replication_group_id,
    AuthToken='your_auth_token',  # Specify your desired Auth Token here
    AuthTokenUpdateStrategy='SET',
    ApplyImmediately=True
)

# Print the response
print(response)
  1. Replace 'your_replication_group_id' with the actual Replication Group Id for which you want to enable Auth.
  2. Replace 'your_auth_token' with your desired Auth Token. Make sure to keep this token secure as it will be used for authentication.
  3. Run the Python script. This will enable Auth for the specified ElastiCache Replication Group in AWS.
Please ensure that you have the necessary IAM permissions to modify ElastiCache Replication Groups before running the script.
I