v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 6 ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH

Description

This control checks if ElastiCache for Redis replication groups have Redis AUTH enabled. The control fails for an ElastiCache for Redis replication group if the Redis version of its nodes is below 6.0 and AuthToken isn't in use.

When you use Redis authentication tokens, or passwords, Redis requires a password before allowing clients to run commands, which improves data security. For Redis 6.0 and later versions, we recommend using Role-Based Access Control (RBAC). Since RBAC is not supported for Redis versions earlier than 6.0, this control only evaluates versions which can't use the RBAC feature.

Remediation

To use Redis AUTH on an ElastiCache for Redis replication group, see Modifying the AUTH token on an existing ElastiCache for Redis cluster in the Amazon ElastiCache User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elasticache_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elasticache_6 --share

SQL

This control uses a named query:

elasticache_replication_group_redis_auth_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_access_management
foundational_security_item_id = elasticache_6
plugin = aws
service = AWS/ElastiCache