Terraform Transit Encryption Disabled
Description
Detects AWS ElastiCache clusters configured without transit encryption enabled. Transit encryption is critical for protecting data in-transit between clients and ElastiCache nodes. Disabled encryption could expose sensitive data to network-based attacks.
Detection Strategy
• Identifies AWS ElastiCache cluster resources in Terraform configuration
• Checks if the resource lacks transit encryption configuration or has it explicitly disabled
• Reports a vulnerability when an ElastiCache cluster is configured without proper transit encryption
Vulnerable code example
resource "aws_elasticache_cluster" "cache" {
cluster_id = "redis-cluster"
engine = "redis"
node_type = "cache.t3.micro"
num_cache_nodes = 1
# Security issue: Transit encryption disabled, exposing data in transit
transit_encryption_enabled = false
}✅ Secure code example
resource "aws_elasticache_cluster" "cache" {
cluster_id = "redis-cluster"
engine = "redis"
node_type = "cache.t3.micro"
num_cache_nodes = 1
# Enable TLS to encrypt data in transit between cache nodes
transit_encryption_enabled = true
# Required when transit encryption is enabled...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.