InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Enable ElastiCache In-Transit Encryption

Instructions for Enabling ElastiCache In-Transit Encryption Within Production Deployments

📘

Value Names (DivvyCloud vs. InsightCloudSec)

Some components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.

Overview

This document outlines the actions required to enable ElastiCache In-transit encryption for production deployments using Terraform, CloudFormation, and the AWS Console. Refer to each individual section for details on the various methods.

If you have questions about the content here or need assistance, reach out to us at [email protected].

Prerequisites

These instructions assume that you have already used our existing production templates to deploy or you have downloaded these templates and have them on hand.

Refer to the deployment instructions on AWS - EC2 or ECS Fargate - Terraform here.

Note: The content/steps provided on this page apply to self-hosted customers. For hosted customers we recommend that you contact your CSM or [email protected] with any questions or concerns.

General Setup

Note: If EC2 instances are deployed in your environment, for InsightCloudSec to use in-transit encryption with Redis, ensure you modify the prod.env file.

1. If you are using a Linux or Mac test-drive deployment, (using Docker compose as stated here in the Docker compose prod.env file), make the following changes to enable in-transit encryption:

# MySQL 5.7 Secure database
DIVVY_SECRET_DB_HOST=mysql
DIVVY_SECRET_DB_PORT=3306
DIVVY_SECRET_DB_USERNAME=divvy
DIVVY_SECRET_DB_PASSWORD=divvy

# Redis
DIVVY_REDIS_HOST=redis
DIVVY_REDIS_PORT=6379

# Divvy Required - do not modify
VIRTUAL_ENV=/
DIVVY_DB_NAME=divvy
DIVVY_SECRET_DB_NAME=divvykeys

2. Add the following entry. DIVVY_REDIS_SSL_ENABLED=true.

  • Alternatively, you can also grab the latest version of the prod.env file from here.
  • *Note the revised version below (Line 10 is new).
# MySQL 5.7 Secure database
DIVVY_SECRET_DB_HOST=mysql
DIVVY_SECRET_DB_PORT=3306
DIVVY_SECRET_DB_USERNAME=divvy
DIVVY_SECRET_DB_PASSWORD=divvy

# Redis
DIVVY_REDIS_HOST=redis
DIVVY_REDIS_PORT=6379
DIVVY_REDIS_SSL_ENABLED=true

# Divvy Required - do not modify
VIRTUAL_ENV=/
DIVVY_DB_NAME=divvy
DIVVY_SECRET_DB_NAME=divvykeys

Terraform

Steps to enable the ElastiCache In-transit encryption parameter in Terraform are as follows:

1. From directory containing all the Terraform deployment templates, locate the file DivvyCloud-AWS-Fargate-v1.4.

2. In the defined parameters section below, locate the resource aws_elasticache_replication_group.

resource "aws_elasticache_replication_group" "DivvyCloud-Redis-RG" {
    at_rest_encryption_enabled    = true
    auto_minor_version_upgrade    = true
    automatic_failover_enabled    = true
    engine                        = "redis"
    engine_version                = "5.0.6"
    maintenance_window            = "sat:05:30-sat:06:30"
    node_type                     = "cache.t2.small"
    number_cache_clusters         = length(var.az)
    parameter_group_name          = "default.redis5.0"
    port                          = 6379
    replication_group_description = "DivvyCloud-Redis"
    replication_group_id          = "DivvyCloud-Redis"
    security_group_ids            = [aws_security_group.DivvyCloud-SecurityGroup-Redis.id]
    security_group_names          = []
    snapshot_retention_limit      = 0
    snapshot_window               = "23:30-00:30"
    subnet_group_name             = aws_elasticache_subnet_group.DivvyCloud-Redis-Subnet-Group.id
    timeouts {}
}

3. To enable the in-transit encryption feature, add in the value transit_encryption_enabled = true

resource "aws_elasticache_replication_group" "DivvyCloud-Redis-RG" {
    at_rest_encryption_enabled    = true
    auto_minor_version_upgrade    = true
    automatic_failover_enabled    = true
    engine                        = "redis"
    engine_version                = "5.0.6"
    maintenance_window            = "sat:05:30-sat:06:30"
    node_type                     = "cache.t2.small"
    number_cache_clusters         = length(var.az)
    parameter_group_name          = "default.redis5.0"
    port                          = 6379
    replication_group_description = "DivvyCloud-Redis"
    replication_group_id          = "DivvyCloud-Redis"
    security_group_ids            = [aws_security_group.DivvyCloud-SecurityGroup-Redis.id]
    security_group_names          = []
    snapshot_retention_limit      = 0
    snapshot_window               = "23:30-00:30"
    subnet_group_name             = aws_elasticache_subnet_group.DivvyCloud-Redis-Subnet-Group.id
    transit_encryption_enabled    = true
    timeouts {}
}

4. Save your file with these changes and run terraform apply.

AWS Console

Note: Currently, enabling encryption in-transit can only be done when creating a Redis cluster using Redis version 4.0.10 or greater.

To verify if your existing ElastiCache has in-transit encryption enabled, do the following:

1. From the AWS management console, search for ElastiCache in the "Find Services" and click on the "ElastiCache" option.

Locate Elasticache in the AWS ConsoleLocate Elasticache in the AWS Console

Locate Elasticache in the AWS Console

2. On the ElastiCache resource page, on the left-side panel, click on "Redis," which should take you a page that lists all available ElastiCache clusters installed.

ElastiCache DashboardElastiCache Dashboard

ElastiCache Dashboard

3. Identify the specific ElastiCache cluster for which in-transit encryption needs to be verified.

Encryption VerificationEncryption Verification

Encryption Verification

4. For the selected cluster, under the column Encryption-in-transit, if the value is “No,” then in-transit encryption is not enabled, and if “Yes,” it is enabled.

Encryption-in-Transit SelectionEncryption-in-Transit Selection

Encryption-in-Transit Selection

  • You can also click on the right-facing arrow by the cluster name to display the full cluster details.
Cluster DetailsCluster Details

Cluster Details

To enable in-transit encryption when creating a Redis cluster using the AWS Management Console, make the following selections:

5. From the Elasticache resource page, click on the “Create” button.

Creating a Cluster TabCreating a Cluster Tab

Creating a Cluster Tab

6. Choose Redis as your engine.

Redis Cluster Engine OptionRedis Cluster Engine Option

Redis Cluster Engine Option

7. From the Security Section, ensure the box for Encryption in-transit is checked.

Enable Encryption in-transitEnable Encryption in-transit

Enable Encryption in-transit

8. Once you have updated your desired settings click on the “Create” button to create the Redis Cluster.

  • While the Redis cluster is creating (with a status of creating), you can verify that encryption in-transit has been enabled by the “Yes” value under the Encryption in-transit column.
Encryption in-Transit ValueEncryption in-Transit Value

Encryption in-Transit Value

  • Clicking on the arrow by the Redis cluster name will display the cluster details as well, with encryption also enabled.
Redis Cluster Details ScreenRedis Cluster Details Screen

Redis Cluster Details Screen

9. Once all of the changes outlined have been applied you should have successfully enabled ElastiCache In-Transit encryption

Updated 11 days ago

Enable ElastiCache In-Transit Encryption


Instructions for Enabling ElastiCache In-Transit Encryption Within Production Deployments

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.