The Securing Redis section from the Redis Quick Start stresses applying network level security (firewalls), the
requirepass option (AUTH command), and SSL tunneling. Additional details can be found by reading A few things about Redis security and Redis Security – Redis.
Amazon VPC Security Groups and the ElastiCache Subnet Groups provide network security. For data security, Amazon ElastiCache for Redis supports each of In-Transit Encryption (TLS), At-Rest Encryption, and AUTH for clusters running Redis version 3.2.6.
- Now You Can Use Amazon ElastiCache for Redis with In-Transit and At-Rest Encryption to Help Protect Sensitive Information
- Open Sourcing Encryption in Transit for Redis | AWS Open Source Blog
- Data Security - Amazon ElastiCache for Redis
- Enable all ElastiCache Data Security Features (TLS, At-Rest, AUTH)
- Disable backups/snapshots for transient data
- Store AUTH token similar to other secrets (e.g. database passwords)
- Lockdown network access via VPC security groups to specific services requiring access
- Require a bastion service with audit logging (don’t circumvent network security with routing backdoors)