Skip to content
Ask AI about this
Help improve this page

ElastiCache for Redis replication groups before version 6.0 should use Redis Auth

Redis before version 6.0 lacks Role-Based Access Control, making AUTH the only access control in place. Without it, any client that can reach the replication group endpoint can read and write data freely, including session tokens, cached credentials, and application state.

ElastiCache Redis clusters often sit inside private subnets, which gives teams a false sense of security. A compromised application server or misconfigured security group is all it takes to expose an unauthenticated Redis instance. Enabling AUTH adds a password gate that limits access even when network controls fail.

Retrofit consideration

Enabling auth_token requires transit_encryption_enabled = true. Adding transit encryption to an existing replication group may require replacement, causing downtime unless you plan the migration (snapshot and restore is the typical path). All connecting clients must also be updated with the new token.

Implementation

Choose the approach that matches how you manage Terraform.

If you use terraform-aws-modules/elasticache/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "elasticache" {
  source  = "terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

Use AWS provider resources directly. See docs for the resources involved: aws_elasticache_replication_group.

resource "aws_elasticache_replication_group" "this" {
  at_rest_encryption_enabled = true
  auth_token                 = "PofixExampleAuthToken32CharsLng"
  description                = "pofix example replication group"
  node_type                  = "cache.t3.micro"
  num_cache_clusters         = 2
  replication_group_id       = "pofix-abc123"
  snapshot_retention_limit   = 15
  subnet_group_name          = "example-subnet-group"
  transit_encryption_enabled = true
}

What this control checks

The aws_elasticache_replication_group resource passes when auth_token is set to a non-empty string and engine_version is below 6.0. The token must be 16 to 128 printable characters. auth_token also requires transit_encryption_enabled = true, since Redis AUTH transmits the token in cleartext without TLS. It fails when auth_token is omitted or empty on a pre-6.0 engine. Replication groups on Redis 6.0 or later are out of scope; those versions support RBAC via user_group_ids.

Common pitfalls

  • Transit encryption prerequisite

    Terraform will error on apply if auth_token is set without transit_encryption_enabled = true. Both must be present on the aws_elasticache_replication_group resource. There is no partial success here.

  • Auth token rotation forces replacement

    Changing auth_token in Terraform triggers a replacement of the replication group by default. Use auth_token_update_strategy set to ROTATE or SET to update the token in place and avoid downtime. Without this, a token rotation becomes a destructive operation.

  • Storing auth_token in plaintext

    Hardcoding auth_token in .tf files exposes it in version control and Terraform state. Reference it from aws_secretsmanager_secret_version or pass it as a sensitive variable. Terraform still writes the value to state, so encrypt the state backend.

  • Control does not apply to Redis 6.0+

    If engine_version is 6.0 or higher, this control does not flag a missing auth_token because RBAC via user_group_ids is the expected authentication method on those versions. Make sure you have a separate control or process covering RBAC configuration on newer clusters.

Audit evidence

Auditors expect AWS Config rule evaluation results showing all ElastiCache Redis replication groups below engine version 6.0 have AUTH enabled. The DescribeReplicationGroups API response includes AuthTokenEnabled and TransitEncryptionEnabled boolean fields that confirm the configuration directly. Console screenshots of the replication group detail page showing "Auth Token: Enabled" alongside the engine version can supplement API evidence.

AWS Config compliance history or Security Hub findings cover ongoing assurance. CloudTrail logs of CreateReplicationGroup and ModifyReplicationGroup calls show whether AuthToken was provided at creation or modification time.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: elasticache_replication_group_redis_auth_enabled

  • AWS Config Managed Rule: ELASTICACHE_REPL_GRP_REDIS_AUTH_ENABLED

  • Checkov Check: CKV_AWS_31

  • Powerpipe Control: aws_compliance.control.elasticache_replication_group_redis_auth_enabled

  • Prowler Check: elasticache_redis_replication_group_auth_enabled

  • AWS Security Hub Control: ElastiCache.6

Last reviewed: 2026-03-09