Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ElasasticCache Redis does not specify the TLS version, is this normal?

0

I have a use case where I need to confirm if TLS1.2 or above is being used for transmit encryption. When I go to AWS Console to confirm this, I do not see this TLS version being specified. My question is is ElasticAche TLS version automatically added when you turn on encryption in transit?

Does ElastiCache use TLS version 1.2 or higher by default?

Topics
Internet of Things (IoT)DatabaseAWS Well-Architected Framework
Tags
Transport Layer Security (TLS)Amazon ElastiCacheAmazon ElastiCache for RedisSecurity
Language
English
asked 10 months ago536 views
2 Answers
1

Hello.

TLS 1.1 will be completely deprecated for ElastiCache Redis and Valkey.
https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/in-transit-encryption.html

Usage of old TLS 1.0 and TLS 1.1 is deprecated across all AWS Regions for ElastiCache version 6 and above. ElastiCache will continue to support TLS 1.0 and 1.1 until May 8, 2025. Customers must update their client software before that date.

So currently you can use TLS 1.0 and 1.1, but from now on you will only be able to use versions 1.2 and later.
https://aws.amazon.com/about-aws/whats-new/2024/05/amazon-elasticache-minimum-tls-version-1-2/?nc1=h_ls

ElastiCache will continue to support TLS 1.0 and 1.1 until May 8, 2025, and customers must update their client software before that date. For more information about ElastiCache and in-transit encryption (TLS), see our documentation.

EXPERT
answered 10 months ago
0

Yes, AWS ElastiCache for Redis uses TLS 1.2 or higher by default when you enable encryption in transit.

TLS Version in ElastiCache for Redis

  1. Automatic Use of TLS 1.2 or Higher
  • When you enable encryption in transit for an ElastiCache for Redis cluster, AWS automatically enforces the use of TLS 1.2 or higher.
  • This ensures secure communication between your clients and the Redis nodes.
  1. No Explicit Specification in the Console
  • The AWS Management Console does not explicitly display the TLS version being used. However, the underlying infrastructure enforces TLS 1.2 or higher as part of AWS's security best practices.
  1. Validation of TLS Version
  • If you need to confirm the TLS version being used, you can test the connection using tools like OpenSSL or inspect logs from your Redis client libraries to see the negotiated TLS version during a secure connection.

Steps to Verify TLS Version To verify that TLS 1.2 or higher is being used:

  1. Use OpenSSL

Run the following command, replacing <endpoint> and <port> with your Redis cluster details:

openssl s_client -connect <endpoint>:<port>

Look for the line that specifies Protocol. It should show TLSv1.2 or higher.

  1. Check Redis Client Logs
  • Many Redis client libraries log the TLS version during the handshake. Enable verbose logging to inspect the details.
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content