ElastiCache Redis Auth Token Rotation

0

Hi, Its AWS Rotate automaticaly AUTH token i REDIS ? I have twice issues when app stop comunicate with Redis when errors its WRONG password. Its AWS automaticly rotate AUTH token wih any SEC update ? or Anything Else? Its possible this disable? Thanks

  • please accept the answer if it was useful

asked 3 months ago275 views
4 Answers
2

AWS ElastiCache for Redis does not automatically rotate the AUTH token. The AUTH token (password) for ElastiCache Redis is a static value that you set when you create the cluster, and it remains the same until you manually change it.

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html#auth-modifyng-token

aws elasticache modify-replication-group \
--replication-group-id authtestgroup \
--auth-token This-is-the-rotated-token \
--auth-token-update-strategy ROTATE \
--apply-immediately

Modifying the auth token supports two strategies: ROTATE and SET. The ROTATE strategy adds an additional AUTH token to the server while retaining the previous token. The SET strategy updates the server to support just a single AUTH token.

profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
Artem
reviewed 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago
0

Hi its weird becouse no one change the auth token no one run Terraform for new instance and toady the password its gone and need to again set to Rotate.

answered 3 months ago
0

Hello,

Troubleshooting Your Issue Given your issue of the application failing to communicate with Redis due to a "WRONG password" error, here are the steps you should follow:

1. Check for Manual Changes:

Verify Changes: Ensure that no one manually changed the AUTH token. Check the activity logs in the AWS Management Console for any recent changes to the ElastiCache cluster settings.

2. Review Configuration and Security Settings:

Security Review: Make sure your ElastiCache for Redis cluster has proper security settings. This includes reviewing IAM policies, security groups, and access control lists to ensure no unauthorized changes can occur.

3. Rotate the AUTH Token:

Token Rotation: To update the password and resolve the issue, rotate the AUTH token using the AWS CLI. Here’s the command:

aws elasticache modify-replication-group \
  --replication-group-id <your-replication-group-id> \
  --auth-token <new-auth-token> \
  --auth-token-update-strategy ROTATE

4. Implement Robust Security Measures:

Enhanced Security: Consider implementing stronger security and access control mechanisms. This can include using IAM roles and policies, monitoring AWS CloudTrail logs for unauthorized changes, and setting up AWS Config rules to alert on configuration changes.

"AWS ElastiCache for Redis does not automatically rotate the AUTH token. The token remains static until manually updated.

You can manually rotate the AUTH token using the AWS CLI with the 'modify-replication-group' command and the '--auth-token-update-strategy' parameter set to 'ROTATE' or 'SET'.

profile picture
EXPERT
answered 3 months ago
0

We looking for any reason we now found the applications doesnt use redis until now. Secret its same only we found its applicated patch: elasticache-20230315-002 and elasticache-redis-7-0-7-update-20240201

without any release notes its possibly get any release notes about this updates? Its have same sec reset auth token.

Or its any TTL off auth token when not used more then 4months.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions