At-Rest Encryption in ElastiCache
To help keep your data secure, Amazon ElastiCache and Amazon S3 provide different ways to restrict access to data in your cache. For more information, see Amazon VPCs and ElastiCache security and Identity and Access Management for Amazon ElastiCache.
-
Disk during sync and swap operations
ElastiCache offers default (service managed) encryption at rest, as well as ability to use your own symmetric customer managed Amazon KMS keys in Amazon Key Management Service (KMS)
Note
The default (service managed) encryption is the only option available in the GovCloud (US) Regions.
At-rest encryption can be enabled on a cache only when it is created. Because there is some processing needed to encrypt and decrypt the data, enabling at-rest encryption can have a performance impact during these operations. You should benchmark your data with and without at-rest encryption to determine the performance impact for your use cases.
Topics
At-Rest Encryption Conditions
The following constraints on ElastiCache at-rest encryption should be kept in mind when you plan your implementation of ElastiCache encryption at-rest:
At-rest encryption is supported only on serverless caches.
The option to use customer managed key for encryption at rest is not available in Amazon GovCloud (us-gov-east-1 and us-gov-west-1) regions.
Using customer managed keys from Amazon KMS
ElastiCache supports symmetric customer managed Amazon KMS keys (KMS key) for encryption at rest. Customer-managed KMS keys are encryption keys that you create, own and manage in your Amazon account. For more information,
see Amazon KMS keys
To learn how to create Amazon KMS root keys, see Creating Keys
ElastiCache allows you to integrate with Amazon KMS. For more information, see Using Grants
The kms:ViaService
condition key limits use of an Amazon KMS key (KMS key) to requests from specified Amazon services. To use kms:ViaService
with ElastiCache, include both ViaService names in the condition key value:
elasticache.Amazon_region.amazonaws.com
and dax.Amazon_region.amazonaws.com
. For more information, see
kms:ViaService
You can use Amazon CloudTrail
If you delete the key or disable
the key and revoke grants for the key that you used to encrypt a cache, the cache becomes irrecoverable. In other words, it cannot be modified or recovered after a hardware failure. Amazon KMS deletes root keys only after a waiting period of at least seven days. After the key is deleted, you can use a different customer managed key to create a backup for archival purposes. Automatic key rotation preserves the properties of your Amazon KMS root keys, so the rotation has no effect on your ability to access your ElastiCache data. Encrypted Amazon ElastiCache caches don't support manual key rotation, which involves creating a new root key and updating any references to the old key. To learn more, see Rotating Amazon KMS keys in the Amazon Key Management Service Developer Guide.
Encrypting an ElastiCache cache using KMS key requires one grant per cache. This grant is used throughout the lifespan of the cache.
For more information on Amazon KMS grants and limits, see Limits in the Amazon Key Management Service Developer Guide.
Enabling At-Rest Encryption
All serverless caches have at-rest encryption enabled.
You can enable at-rest encryption when you create an ElastiCache cache. You can do so using the Amazon Web Services Management Console, the Amazon CLI, or the ElastiCache API.
When creating a cache, you can pick one of the following options:
-
Default – This option uses service managed encryption at rest.
-
Customer managed key – This option allows you to provide the Key ID/ARN from Amazon KMS for encryption at rest.
To learn how to create Amazon KMS root keys, see Create Keys
Enabling At-Rest Encryption Using the Amazon Web Services Management Console
All serverless caches have at-rest encryption enabled. By default, an Amazon-owned KMS key is used to encrypt data. To choose your own Amazon KMS key, make the following selections:
Expand the Default settings section.
Choose Customize default settings under Default settings section.
Choose Customize your security settings under Security section.
Choose Customer managed CMK under Encryption key setting.
Select a key under Amazon KMS key setting.