ElastiCache Redis replication group with engine version < 6.0 has Redis OSS AUTH enabled
elasticache_redis_replication_group_auth_enabled
Amazon ElastiCache Redis replication groups running versions prior to 6.0 are evaluated for the use of AUTH tokens. For 6.0+, the finding indicates ACL/RBAC configuration should be reviewed instead of token-based AUTH.
Risk
Without AUTH on pre-6.0 clusters, clients can run unauthenticated commands, enabling data reads/writes, key deletion, and cache poisoning. This threatens confidentiality and integrity, and can facilitate lateral movement via stolen or injected session data.
prowler aws --checks elasticache_redis_replication_group_auth_enabled
Recommendation
Apply defense in depth:
- For versions <
6.0, enable AUTH with strong, rotated tokens and require in-transit encryption. - For
6.0+, prefer RBAC/ACLs with least-privilege, deny-by-default roles. - Restrict network access to trusted sources and audit access regularly.
Remediation
aws elasticache modify-replication-group --replication-group-id <example_resource_id> --auth-token <AUTH_TOKEN> --auth-token-update-strategy SET --apply-immediately
- In the AWS Console, go to ElastiCache > Redis replication groups
- Select the replication group <example_resource_id> and click Modify
- Under Access control, choose Redis OSS AUTH and enter <AUTH_TOKEN>
- Check Apply immediately and click Modify
- Wait for status to return to Available; AUTH is now enabled
Source Code
Resource Type
Other