ElastiCache for Redis replication groups should be encrypted in transit
Redis replication groups often handle session tokens, cached credentials, and application state. Without TLS, data moves in plaintext between cluster nodes and between the application and the Redis endpoint. An attacker with network access to the VPC (through a compromised instance or misconfigured peering) can passively capture this traffic.
Enabling transit encryption forces all connections to use TLS and cuts off protocol-level sniffing. The performance overhead is real but small for most workloads, typically under 10% additional CPU on modern instance types.
Retrofit consideration
Enabling transit_encryption_enabled on an existing replication group forces replacement of the entire cluster, meaning downtime and data loss unless you migrate first. Build a new group with encryption enabled, cut traffic over, then decommission the old one. Don't attempt an in-place change on production.
Implementation
Choose the approach that matches how you manage Terraform.
Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.
module "elasticache" {
source = "pcidss.compliance.tf/terraform-aws-modules/elasticache/aws"
version = ">=1.0.0,<2.0.0"
description = "Redis cluster"
engine = "redis"
engine_version = "7.1"
node_type = "cache.t3.micro"
num_cache_clusters = 2
replication_group_id = "abc123"
subnet_ids = ["subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
}
If you use terraform-aws-modules/elasticache/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "elasticache" {
source = "terraform-aws-modules/elasticache/aws"
version = ">=1.0.0,<2.0.0"
description = "Redis cluster"
engine = "redis"
engine_version = "7.1"
node_type = "cache.t3.micro"
num_cache_clusters = 2
replication_group_id = "abc123"
subnet_ids = ["subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
transit_encryption_enabled = true
}
Use AWS provider resources directly. See docs for the resources involved: aws_elasticache_replication_group.
resource "aws_elasticache_replication_group" "this" {
at_rest_encryption_enabled = true
auth_token = "PofixExampleAuthToken32CharsLng"
description = "pofix example replication group"
node_type = "cache.t3.micro"
num_cache_clusters = 2
replication_group_id = "pofix-abc123"
snapshot_retention_limit = 15
subnet_group_name = "example-subnet-group"
transit_encryption_enabled = true
}
What this control checks
The control validates that aws_elasticache_replication_group has transit_encryption_enabled = true. When omitted or set to false, it fails. With the flag set, all clients must connect over TLS. If you use Redis AUTH, auth_token requires transit_encryption_enabled = true, so plan both settings together. For engine versions 7.0 and later, you can set transit_encryption_mode to "preferred" during migration or "required" for strict enforcement; the control passes as long as transit_encryption_enabled is true.
Common pitfalls
Replacement required on existing clusters
Changing
transit_encryption_enabledfromfalsetotruetriggers a destroy-and-recreate in Terraform. The plan will show a forced replacement. For production clusters, create a new replication group with encryption enabled and migrate using Redis replication or application-level seeding rather than letting Terraform destroy the existing group.Client libraries must support TLS
Once transit encryption is on, every client must connect using the
rediss://scheme instead ofredis://. Get this wrong and connections will be refused with no graceful fallback. Audit application connection strings, Lambda environment variables, and ECS task definitions before enabling encryption.AUTH token dependency
auth_tokenonaws_elasticache_replication_grouprequirestransit_encryption_enabled = true. Attempting to disable transit encryption while keepingauth_tokenset will cause a Terraform error. These two settings are coupled; change them together or not at all.transit_encryption_mode confusion on Redis 7+
Redis 7.0+ adds
transit_encryption_modewith values"preferred"and"required". Settingpreferredstill passes this control becausetransit_encryption_enabledistrue, but it allows unencrypted client connections through. If the goal is full enforcement, settransit_encryption_mode = "required"explicitly. 'Preferred' is a migration aid, not a finished state.
Audit evidence
Auditors expect AWS Config evaluation results from an ElastiCache-specific check, for example a custom rule evaluating TransitEncryptionEnabled on AWS::ElastiCache::ReplicationGroup, or equivalent findings in Security Hub conformance packs. Console screenshots showing 'Encryption in-transit: Yes' in the ElastiCache dashboard support the Config findings.
CloudTrail entries for CreateReplicationGroup and ModifyReplicationGroup should include TransitEncryptionEnabled: true in the request parameters. Continuous reports from Security Hub or a third-party scanner add historical trend data to the point-in-time Config evidence.
Framework-specific interpretation
PCI DSS v4.0: Requirement 4.2.1 requires strong cryptography for cardholder data over open or public networks, and v4.0 extends this to internal segments that aren't fully isolated. If session tokens or temporary card data are cached in Redis, that traffic is in scope. TLS on the replication group satisfies the in-transit protection expectation for this data.
Related controls
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
elasticache_replication_group_encryption_in_transit_enabledAWS Config Managed Rule:
ELASTICACHE_REPL_GRP_ENCRYPTED_IN_TRANSITCheckov Check:
CKV_AWS_30Powerpipe Control:
aws_compliance.control.elasticache_replication_group_encryption_in_transit_enabledProwler Check:
elasticache_redis_cluster_in_transit_encryption_enabledAWS Security Hub Control:
ElastiCache.5KICS Query:
1afbb3fa-cf6c-4a3d-b730-95e9f4df343eTrivy Check:
AWS-0051
Last reviewed: 2026-03-09