Enabling in-transit encryption - Amazon ElastiCache for Redis
Enabling in-transit encryption using the Amazon Web Services Management ConsoleEnabling in-transit encryption using the Amazon CLI
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling in-transit encryption

All serverless caches have in-transit encryption enabled. On a self-designed cluster, you can enable in-transit encryption using the Amazon Web Services Management Console, the Amazon CLI, or the ElastiCache API.

Enabling in-transit encryption using the Amazon Web Services Management Console

When designing your own cluster, 'Dev/Test' and 'Production' configurations with the 'Easy create' method have in-transit encryption enabled. When choosing configuration yourself, make the following selections:

  • Choose engine version 3.2.6, 4.0.10 or later.

  • Click the checkbox next to Enable for the Encryption in transit option.

For the step-by-step process, see the following:

Enabling encryption in transit, is a two-step process, you must first set the transit encryption mode to preferred. This mode allows your Redis clients to connect using both encrypted and unencrypted connections. After you migrate all your Redis clients to use encrypted connections, you can then modify your cluster configuration to set the transit encryption mode to required. Setting the transit encryption mode to required will drop all unencrypted connections and will allow encrypted connections only.

Step 1: Set your Transit encryption mode to Preferred

  1. Sign in to the Amazon Web Services Management Console and open the Amazon ElastiCache console at https://console.amazonaws.cn/elasticache/.

  2. Choose Redis caches from the ElastiCache Resources listed on the navigation pane, present on the left hand.

  3. Choose the Redis cache you want to update.

  4. Choose the Actions dropdown, then choose Modify.

  5. Choose Enable under Encryption in transit in the Security section.

  6. Choose Preferred as the Transit encryption mode.

  7. Choose Preview changes and save your changes.

After you migrate all your Redis clients to use encrypted connections:

Step 2: Set your Transit encryption mode to Required

  1. Sign in to the Amazon Web Services Management Console and open the Amazon ElastiCache console at https://console.amazonaws.cn/elasticache/.

  2. Choose Redis caches from the ElastiCache Resources listed on the navigation pane, present on the left hand.

  3. Choose the Redis cache you want to update.

  4. Choose the Actions dropdown, then choose Modify.

  5. Choose Required as the Transit encryption mode, in the Security section.

  6. Choose Preview changes and save your changes.

Enabling in-transit encryption using the Amazon CLI

To enable in-transit encryption when creating a Redis replication group using the Amazon CLI, use the parameter transit-encryption-enabled.

Use the Amazon CLI operation create-replication-group and the following parameters to create a Redis replication group with replicas that has in-transit encryption enabled:

Key parameters:

  • --engine—Must be redis.

  • --engine-version—Must be 3.2.6, 4.0.10 or later.

  • --transit-encryption-enabled—Required. If you enable in-transit encryption, you must also provide a value for the --cache-subnet-group parameter.

  • --num-cache-clusters—Must be at least 1. The maximum value for this parameter is six.

For more information, see the following:

Use the Amazon CLI operation create-replication-group and the following parameters to create a Redis (cluster mode enabled) replication group that has in-transit encryption enabled:

Key parameters:

  • --engine—Must be redis.

  • --engine-version—Must be 3.2.6, 4.0.10 or later.

  • --transit-encryption-enabled—Required. If you enable in-transit encryption you must also provide a value for the --cache-subnet-group parameter.

  • Use one of the following parameter sets to specify the configuration of the replication group's node groups:

    • --num-node-groups—Specifies the number of shards (node groups) in this replication group. The maximum value of this parameter is 500.

      --replicas-per-node-group—Specifies the number of replica nodes in each node group. The value specified here is applied to all shards in this replication group. The maximum value of this parameter is 5.

    • --node-group-configuration—Specifies the configuration of each shard independently.

For more information, see the following:

Enabling encryption in transit, is a two-step process, you must first set the transit encryption mode to preferred. This mode allows your Redis clients to connect using both encrypted and unencrypted connections. After you migrate all your Redis clients to use encrypted connections, you can then modify your cluster configuration to set the transit encryption mode to required. Setting the transit encryption mode to required will drop all unencrypted connections and will allow encrypted connections only.

Use the Amazon CLI operation modify-replication-group and the following parameters to update a Redis (cluster mode enabled) replication group that has in-transit encryption disabled.

To enable in-transit encryption

  1. Set transit-encryption-mode to preferred, using the following parameters

    • --transit-encryption-enabled—Required.

    • --transit-encryption-mode—Must be set to preferred.

  2. Set transit-encryption-mode to required, using the following parameters:

    • --transit-encryption-enabled—Required.

    • --transit-encryption-mode—Must be set to required.