Redis Security Investigation

The Securing Redis section from the Redis Quick Start stresses applying network level security (firewalls), the requirepass option (AUTH command), and SSL tunneling.  Additional details can be found by reading A few things about Redis security and Redis Security – Redis.

Amazon VPC Security Groups and the ElastiCache Subnet Groups provide network security.  For data security, Amazon ElastiCache for Redis supports each of In-Transit Encryption (TLS), At-Rest Encryption, and AUTH for clusters running Redis version 3.2.6.

• Now You Can Use Amazon ElastiCache for Redis with In-Transit and At-Rest Encryption to Help Protect Sensitive Information
• Open Sourcing Encryption in Transit for Redis | AWS Open Source Blog
• Data Security - Amazon ElastiCache for Redis

Redis Java lists both Lettuce and Jedis as Java clients that support SSL connections.

Note: The redis-cli supports the AUTH command (with the -a password parameter) but might not support SSL without spiped.

Recommendations:

• Enable all ElastiCache Data Security Features (TLS, At-Rest, AUTH)
• Disable backups/snapshots for transient data
• Store AUTH token similar to other secrets (e.g. database passwords)
• Lockdown network access via VPC security groups to specific services requiring access
• Require a bastion service with audit logging (don’t circumvent network security with routing backdoors)