To help keep your data secure, Amazon ElastiCache and Amazon EC2 provide mechanisms to guard against unauthorized access of your data on the server. By providing in-transit encryption capability, ElastiCache gives you a tool you can use to help protect your data when it is moving from one location to another. For example, you might move data from a primary node to a read replica node within a replication group, or between your replication group and your application.

In-transit encryption is optional and can only be enabled on Redis replication groups when they are created. You enable in-transit encryption on a replication group by setting the parameter TransitEncryptionEnabled to true (CLI: --transit-encryption-enabled) when you create the replication group. You can do this whether you are creating the replication group using the AWS Management Console, the AWS CLI, or the ElastiCache API. If you enable in-transit encryption, you must also provide a value for CacheSubnetGroup.

238EA6BF-DCCA-4E5B-AC0A-BAF563852EBF.jpeg

Connecting to Amazon ElastiCache for Redis nodes enabled with in-transit encryption using redis-cli

  1. Download and compile the redis-cli utility. This utility is included in the Redis software distribution.
  2. At the command prompt of your EC2 instance, type the following commands:

Amazon Linux 2

sudo yum -y install openssl-devel gcc
wget <http://download.redis.io/redis-stable.tar.gz>
tar xvzf redis-stable.tar.gz
cd redis-stable
make distclean
make redis-cli BUILD_TLS=yes
sudo install -m 755 src/redis-cli /usr/local/bin/

Amazon Linux

sudo yum install gcc jemalloc-devel openssl-devel tcl tcl-devel clang wget
wget <http://download.redis.io/redis-stable.tar.gz>
tar xvzf redis-stable.tar.gz
cd redis-stable
make redis-cli CC=clang BUILD_TLS=yes
sudo install -m 755 src/redis-cli /usr/local/bin/

sudo yum install clang
CC=clang make
sudo make install

  1. After this, it is recommended that you run the optional make-test command.

  2. Type the following command, substituting the endpoint of your cluster and port for what is shown in this example.

    redis-cli -h Primary or Configuration Endpoint --tls -p 6379

    The following example connects to a cluster with encryption and authentication enabled (not recommended)

    redis-cli -h Primary or Configuration Endpoint --tls -a 'your-password' -p 6379

Connecting to Amazon ElastiCache for Redis nodes enabled with in-transit encryption using python packages (take aioredis as an example)

aioredis==1.3.0

139D89BD-8404-4892-AD86-66FEE70C3F6C.jpeg

import aioredis

pool = aioredis.create_pool("redis://[host]:6379", ssl=True)

aioredis==2.0.0

A5D62376-10C2-4718-B3EA-92A79D601E51.jpeg

import aioredis

redis = aioredis.from_url("rediss://[[username]:[password]]@[host]:6379/0")