How to encrypt Elasticache at Rest

Organizations will sometimes require Elasticache to be encrypted at rest. While the Turbot Console stack does not natively do so, it only takes a few steps to make the necessary changes. Access to the Turbot Master is required. Order is extremely important in the following steps! Per AWS instructions, encryption CAN NOT be enabled on an existing replication group - the old one must be terminated and new one created with Encryption At Rest enabled.

AWS provides encryption at rest as a feature for ElastiCache and have issued the following statement in regards to performance:

Amazon ElastiCache for Redis at-rest encryption is an optional feature to increase data security by encrypting on-disk data during sync and backup or snapshot operations. Because there is some processing needed to encrypt and decrypt the data, enabling at-rest encryption can have some performance impact during these operations. You should benchmark your data with and without at-rest encryption to determine the performance impact for your use cases

Spin up Turbot Console instances:

  1.  Log into the Turbot Master and navigate to CloudFormation.
  2. Select the Turbot-Console stack and click Update Stack.
  3. Select the option Use Current Template, then click Next.
  4. Change the value of LocalRedisEnabled to True.
  5. Change the value of TurbotServerRolesEnabled to False.
  6. ElastiCacheCreation and ElastiCacheEnabled to False.
  7. Scroll to the bottom and run the CloudFormation stack. This will take down the web and worker instances and replace them with Console servers. Shutting down ElastiCache nodes can take some time - wait times of 20+ minutes are possible.

Edit CloudFormation template:

  1. Save the current template by clicking on Turbot-Console stack in CloudFormation then selecting the Template tab. Copy the text to a code editor like Visual Studio Code.
  2. Once the template has been copied, search for the text CacheReplicationGroup. The section that needs editing has CacheReplicationGroup as the title, with the Type being AWS::ElastiCache::ReplicationGroup.
  3. Add the text "AtRestEncryptionEnabled": "True". The final result will look like the following:mceclip0.png

Upload new template and recreate ElastiCache:

  1. Navigate to CloudFormation in the Master account.
  2. Select Turbot-Console, then select Update.
  3. Click on Replace Current Template, then upload the template where the AtRestEncryptionEnabled has been added.
  4. Change the value of LocalRedisEnabled back to FalseTurbotServerRoles to True, and ElastiCacheCreation and ElastiCacheEnabled back to True.
  5. As with ElastiCache termination, creating nodes can take some time to complete. Allow up to 30 minutes for the nodes to come back online.
  6. Once the nodes have come online, navigate to ElastiCache, select Redis, and verify that the nodes are Available and that Encryption at Rest is set to Yes.


Reach out to if there are any questions or concerns.

Was this article helpful?
0 out of 0 found this helpful