ElastiCache Replication Group Not Encrypted At Rest

• Query id: 76976de7-c7b1-4f64-a94f-90c1345914c2
• Query name: ElastiCache Replication Group Not Encrypted At Rest
• Platform: Terraform
• Severity: High
• Category: Encryption
• URL: Github

Description

ElastiCache Replication Group encryption should be enabled at Rest
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_elasticache_replication_group" "example" {
  automatic_failover_enabled    = true
  availability_zones            = ["us-west-2a", "us-west-2b"]
  replication_group_id          = "tf-rep-group-1"
  replication_group_description = "test description"
  node_type                     = "cache.m4.large"
  number_cache_clusters         = 2
  port                          = 6379
}

Positive test num. 2 - tf file

resource "aws_elasticache_replication_group" "example2" {
  automatic_failover_enabled    = true
  availability_zones            = ["us-west-2a", "us-west-2b"]
  replication_group_id          = "tf-rep-group-1"
  replication_group_description = "test description"
  node_type                     = "cache.m4.large"
  number_cache_clusters         = 2
  port                          = 6379
  at_rest_encryption_enabled    = false
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_elasticache_replication_group" "example3" {
  automatic_failover_enabled    = true
  availability_zones            = ["us-west-2a", "us-west-2b"]
  replication_group_id          = "tf-rep-group-1"
  replication_group_description = "test description"
  node_type                     = "cache.m4.large"
  number_cache_clusters         = 2
  port                          = 6379
  at_rest_encryption_enabled    = true
}