[Update] AWS Security Hub Rolls Out 7 New Controls for Amazon ElastiCache You Need to Know
Hello this is Aayush from AWS Business Devision,
AWS Security Hub has released seven new controls to enhance the cloud security posture management (CSPM) of Amazon ElastiCache. These controls are fully automated checks against security best practices and will be performed against the ElastiCache Redis cluster. If you have Security Hub set to automatically turn on new controls and are already using AWS Foundational Security Best Practices, these new controls will run without having to take any additional action.
This release brings the total number of AWS Foundational Security Best Practices to 190.
The new controls that have been Rolled Out are:
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrades enabled
[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled
[ElastiCache.4] ElastiCache replication groups should have encryption-at-rest enabled
[ElastiCache.5] ElastiCache replication groups should have encryption-in-transit enabled
[ElastiCache.6] ElastiCache replication groups of earlier Redis versions should have Redis AUTH enabled
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
Let's take a closer look at each of these controls and how they can improve your security posture:
[ElastiCache.1] Automatic backup enables point-in-time recovery of Redis clusters.
This control ensures that the ElastiCache clusters are launched in a Virtual Private Cloud (VPC) with a specific security group attached, which limits access to the clusters to only authorized traffic.
Severity: High
[ElastiCache.2] Auto minor version upgrades
This control ensures that minor version upgrades are automatically applied to ElastiCache for Redis cache clusters, which might include security patches and bug fixes.
Severity: High
[ElastiCache.3] Automatic failover ensures high availability of your ElastiCache replication groups.
This control ensures that automatic failover is enabled for ElastiCache for Redis replication groups, which ensures high availability in case of failure.
Severity: Medium
[ElastiCache.4] Encryption-at-rest adds an extra layer of security by encrypting data stored in the cache nodes.
This control ensures that ElastiCache for Redis replication groups are encrypted at rest, which reduces the risk of unauthorized access to data stored on disk.
Severity: Medium
[ElastiCache.5] Encryption-in-transit encrypts data in transit between cache nodes and clients.
This control ensures that ElastiCache for Redis replication groups are encrypted in transit, which reduces the risk of unauthorized access to data being transmitted over the network.
Severity: Medium
[ElastiCache.6] Redis AUTH enables authentication for earlier Redis versions.
This control ensures that Redis authentication tokens, or passwords, are enabled for ElastiCache for Redis replication groups running Redis versions earlier than 6.0, which improves data security.
Severity: Medium
[ElastiCache.7] Default subnet groups are not recommended for ElastiCache clusters as they provide less control over network configuration. This control ensures that custom subnet groups are used for ElastiCache clusters, which are more restrictive of the subnets that the cluster resides in and the networking that the cluster inherits from the subnets.
Severity: High
Conclusion
These new controls, added by the AWS Security Hub for ElastiCache, enhance security posture management in the cloud by providing automated checks against security best practices. By following these controls, you can ensure that your ElastiCache Redis cluster is secure and up-to-date.