At-Rest Encryption in ElastiCache - Amazon ElastiCache
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

At-Rest Encryption in ElastiCache

To help keep your data secure, Amazon ElastiCache and Amazon S3 provide different ways to restrict access to data in your cache. For more information, see Amazon VPCs and ElastiCache security and Identity and Access Management for Amazon ElastiCache.

  • Disk during sync and swap operations

ElastiCache offers default (service managed) encryption at rest, as well as ability to use your own symmetric customer managed Amazon KMS keys in Amazon Key Management Service (KMS). When the cache is backed up, under encryption options, choose whether to use the default encryption key or a customer-managed key. For more information, see Enabling At-Rest Encryption.

Note

The default (service managed) encryption is the only option available in the GovCloud (US) Regions.

At-rest encryption can be enabled on a cache only when it is created. Because there is some processing needed to encrypt and decrypt the data, enabling at-rest encryption can have a performance impact during these operations. You should benchmark your data with and without at-rest encryption to determine the performance impact for your use cases.

At-Rest Encryption Conditions

The following constraints on ElastiCache at-rest encryption should be kept in mind when you plan your implementation of ElastiCache encryption at-rest:

  • At-rest encryption is supported only on serverless caches.

  • The option to use customer managed key for encryption at rest is not available in Amazon GovCloud (us-gov-east-1 and us-gov-west-1) regions.

Using customer managed keys from Amazon KMS

ElastiCache supports symmetric customer managed Amazon KMS keys (KMS key) for encryption at rest. Customer-managed KMS keys are encryption keys that you create, own and manage in your Amazon account. For more information, see Amazon KMS keys in the Amazon Key Management Service Developer Guide. The keys must be created in Amazon KMS before they can be used with ElastiCache.

To learn how to create Amazon KMS root keys, see Creating Keys in the Amazon Key Management Service Developer Guide.

ElastiCache allows you to integrate with Amazon KMS. For more information, see Using Grants in the Amazon Key Management Service Developer Guide. No customer action is needed to enable Amazon ElastiCache integration with Amazon KMS.

The kms:ViaService condition key limits use of an Amazon KMS key (KMS key) to requests from specified Amazon services. To use kms:ViaService with ElastiCache, include both ViaService names in the condition key value: elasticache.Amazon_region.amazonaws.com and dax.Amazon_region.amazonaws.com. For more information, see kms:ViaService.

You can use Amazon CloudTrail to track the requests that Amazon ElastiCache sends to Amazon Key Management Service on your behalf. All API calls to Amazon Key Management Service related to customer managed keys have corresponding CloudTrail logs. You can also see the grants that ElastiCache creates by calling the ListGrants KMS API call.

  • If you delete the key or disable the key and revoke grants for the key that you used to encrypt a cache, the cache becomes irrecoverable. In other words, it cannot be modified or recovered after a hardware failure. Amazon KMS deletes root keys only after a waiting period of at least seven days. After the key is deleted, you can use a different customer managed key to create a backup for archival purposes.

  • Automatic key rotation preserves the properties of your Amazon KMS root keys, so the rotation has no effect on your ability to access your ElastiCache data. Encrypted Amazon ElastiCache caches don't support manual key rotation, which involves creating a new root key and updating any references to the old key. To learn more, see Rotating Amazon KMS keys in the Amazon Key Management Service Developer Guide.

  • Encrypting an ElastiCache cache using KMS key requires one grant per cache. This grant is used throughout the lifespan of the cache.

  • For more information on Amazon KMS grants and limits, see Limits in the Amazon Key Management Service Developer Guide.

Enabling At-Rest Encryption

All serverless caches have at-rest encryption enabled.

You can enable at-rest encryption when you create an ElastiCache cache. You can do so using the Amazon Web Services Management Console, the Amazon CLI, or the ElastiCache API.

When creating a cache, you can pick one of the following options:

  • Default – This option uses service managed encryption at rest.

  • Customer managed key – This option allows you to provide the Key ID/ARN from Amazon KMS for encryption at rest.

To learn how to create Amazon KMS root keys, see Create Keys in the Amazon Key Management Service Developer Guide

Enabling At-Rest Encryption Using the Amazon Web Services Management Console

All serverless caches have at-rest encryption enabled. By default, an Amazon-owned KMS key is used to encrypt data. To choose your own Amazon KMS key, make the following selections:

  • Expand the Default settings section.

  • Choose Customize default settings under Default settings section.

  • Choose Customize your security settings under Security section.

  • Choose Customer managed CMK under Encryption key setting.

  • Select a key under Amazon KMS key setting.

See Also