Control: ElastiCache for Redis replication groups should be encrypted with CMK

Description

Ensure ElastiCache for Redis replication group are encrypted using CMK. The rule is non-compliant if the ElastiCache for Redis replication group is not encrypted using CMK.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk --share

SQL

This control uses a named query:

with aws_elasticache_replication_groups as (
  select
    arn,
    at_rest_encryption_enabled,
    title,
    kms_key_id,
    region,
    account_id,
    _ctx
  from
    aws_elasticache_replication_group
  order by
    arn
),
kms_keys as (
  select
    k.arn,
    k.region,
    k.account_id,
    k.enabled
  from
    aws_kms_key as k
)
select
  r.arn as resource,
  case
    when not at_rest_encryption_enabled then 'alarm'
    when at_rest_encryption_enabled and kms_key_id is null then 'alarm'
    when at_rest_encryption_enabled and kms_key_id is not null and k.enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when not at_rest_encryption_enabled then r.title || ' encryption at rest disabled.'
    when at_rest_encryption_enabled and kms_key_id is null then r.title || ' encryption at rest not enabled with CMK.'
    when at_rest_encryption_enabled and kms_key_id is not null and k.enabled then r.title || ' encryption at rest enabled with CMK.'
    else r.title || ' encryption at rest enabled with disabled CMK.'
  end as reason
  , r.region, r.account_id
from
  aws_elasticache_replication_groups as r
  left join kms_keys as k on k.arn = r.kms_key_id;

Control: ElastiCache for Redis replication groups should be encrypted with CMK

Description

Usage

SQL

Tags