Posted On: Oct 25, 2017
Amazon ElastiCache for Redis now supports encryption in-transit and at-rest for secure internode communications to help keep personally identifiable information (PII) safe. The new encryption in-transit feature enables you to encrypt all communications between clients and Redis server as well as between the Redis servers (primary and read replica nodes). The encryption at-rest feature allows you to encrypt your backups on disk and in Amazon S3. Additionally, you can use the Redis AUTH command for an added level of authentication.
Below are the key highlights of these new features and how each of these translates into real benefits for you:
- Ease of Setup: Open-source Redis does not support native encryption, and you have to build self-managed solutions using an SSL proxy which requires extra efforts. With these features, you now have a fully managed experience for all your data encryption needs. You can start using the new features by enabling it at the time of cluster creation via the ElastiCache console or through the API. As long as the Redis clients support TLS protocol, you don’t have to modify your applications other than making a small configuration change to your Redis clients. The change to your Redis client is simple, for example, with a Jedis java client, while creating a Redis connection, you need to pass isTls=true flag.
- Complete Security Certificate Management: You don’t have to manage the lifecycle of your certificates because ElastiCache for Redis automatically manages the issuance, renewal, and expiration of your certificates. Key highlights include
I. Managed certificate issuance – ElastiCache for Redis takes care of certificate issuance process transparently to your application. You do not need to acquire a certificate from a certificate authority and deploy/upload the certificate once acquired. ElastiCache for Redis uses a trusted Certificate Authority behind the scenes, minimizing any client set up or costs associated with a third-party certificate authority.
II. Managed certificate renewal – ElastiCache for Redis automatically manages the certificate renewal and deployment process for Amazon-issued TLS certificates eliminating manual errors. ElastiCache for Redis minimizes downtime due to misconfigured, revoked, or expired certificates.
III. Secure Key Management – ElastiCache for Redis is designed to protect and manage the private keys used with certificates. Strong encryption and key management best practices are used when protecting and storing private keys.
- Open-source S2N library for enhanced security – ElastiCache for Redis uses TLS 1.2 protocol and relies on Amazon S2N library to provide strong encryption. S2N is an open source implementation of the TLS protocol that is lightweight and fast while providing strong encryption. The S2N library uses advanced safety mechanisms like static analysis, penetration testing and built-in memory protection providing better security protections.
There is no additional charge to use these features, and they are available in the US West (Oregon), US West (N. California), US East (Ohio), US East (N. Virginia), Canada (Central), EU (Ireland), and South America (São Paulo) Regions. We will continue to make these features available in other AWS Regions.
For more information, see Enable Encryption in-Transit and Enable Encryption at-Rest. To get started with just a few clicks, log into the ElastiCache console.