Posted On: Aug 20, 2020
Amazon ElastiCache for Redis now supports encryption in-transit, encryption at-rest, and Redis authentication tokens to protect your data with additional security controls in the Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD.
You can enable encryption in-transit and encryption at-rest when creating a new cluster. Encryption in transit encrypts all communications between clients and Redis server as well as between the Redis servers (primary and read replica nodes). Encryption at rest increases data security by encrypting data on-disk and Amazon ElastiCache for Redis offers default (service managed) encryption at rest, as well as ability to use your own symmetric customer managed customer master keys (CMKs) in Amazon Key Management Service (KMS).
When you enable encryption at rest, using CMKs, Amazon ElastiCache for Redis encrypts all data on disk including service backups stored in Amazon S3 with your encryption key. With Amazon KMS integration and support for CMKs, ElastiCache for Redis now provides you more control and flexibility to meet your security requirements. To learn more about CMK support in ElastiCache for Redis, and other encryption options, see At-Rest Encryption in ElastiCache for Redis documentation.
Additionally, Amazon ElastiCache has also added support for Redis authentication tokens via Redis AUTH command on encryption in transit enabled clusters. Redis authentication tokens provide an added level of authentication by requiring a token (password) before allowing clients to execute commands. You can also modify active tokens using a two-step process that allows you to set and rotate the tokens without interrupting client requests.
These security features are available in both Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD. Redis AUTH, encryption at-rest and in-transit are supported on ElastiCache for Redis version 3.2.6 and 4.0.10 onwards. Modifying the AUTH token is supported on ElastiCache for Redis version 5.0.5 onwards.
These capabilities expand ElastiCache for Redis’ already available and comprehensive security controls, such as secure Amazon Virtual Private Cloud (Amazon VPC) setup and Amazon Identity and Access Management (Amazon IAM) integration.