Secure Access to Redis Clusters - Best Practices

Secure Access to Redis Clusters

Prev Question Next Question

Question

You are working as an AWS developer for an online multiplayer game start-up company.

Elasticache with Redis is used for gaming leaderboards to provide low latency for online games.

Redis clusters are deployed within a dedicated VPC in the us-east-1 region. Last week, due to configuration changes in Redis Clusters, the gaming application was impacted for two hours.

To avoid such incidents, you have been requested to plan for secure access to all the new clusters.

What would you prefer to use for secure access to Redis Clusters while accessing from EC2 instance, initialized in different VPC in the us-east-1 region? (SELECT TWO)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answer - B, C.

To use Redis AUTH that will require users to provide a password before accessing Redis Cluster, in-transit encryption needs to be enabled on the cluster while creating the cluster.

For accessing Redis Cluster from EC2 instance in different VPCs from the same region, a Transit Gateway can be established between 2 VPCs.

Option A is incorrect.

For Redis AUTH, clusters must be enabled with in-transit encryption during initial deployment.

Option B is correct.

Transit Gateway is suitable to access Redis Clusters from EC2 instance in VPC created in different regions.

Transit Gateway is more secure because it reduces the security footprint available between the VPCs.

Refer link: https://aws.amazon.com/transit-gateway/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc.

Option D is incorrect as VPN Connections will be required to access the Redis Cluster from on-prem servers.

Option E is incorrect.

For Redis AUTH, clusters must be enabled with in-transit encryption during initial deployment, not At-Rest encryption.

For more information on Authentication with Redis & Accessing Redis Clusters from a different VPC, refer to the following URLs-

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/elasticache-vpc-accessing.html

As an AWS developer for an online multiplayer game start-up company, you have been requested to plan for secure access to all the new Redis Clusters to avoid any incidents like the one that occurred last week. The Redis clusters are deployed within a dedicated VPC in the us-east-1 region, and you need to allow secure access to the Redis clusters from an EC2 instance initialized in a different VPC in the same region. There are two correct options that you can choose to ensure secure access to the Redis clusters while accessing from an EC2 instance in a different VPC. These options are:

B. Create a Transit Gateway to have connectivity between 2 VPC's: A transit gateway is a network transit hub that you can use to interconnect your VPCs or your on-premises networks. It enables you to create a hub-and-spoke network topology that simplifies network management and minimizes the number of connections required to connect VPCs and on-premises networks. In this case, creating a Transit Gateway will allow secure communication between the VPCs and also help to reduce operational overheads. This is because you do not need to create and manage a VPN connection between VPCs, but only one connection from each VPC to the transit gateway. This ensures secure access to the Redis clusters from an EC2 instance in a different VPC.

D. Create an Amazon VPN connection between 2 VPCs: Another option to ensure secure access to Redis clusters while accessing from an EC2 instance initialized in a different VPC is to create an Amazon VPN connection between the two VPCs. VPN connection provides secure communication between VPCs and allows you to extend your on-premises network to the Amazon VPC. This approach can be more complex and costly than using a transit gateway, but it allows you to have more control over the network configuration and security.

The other options are not suitable for ensuring secure access to Redis clusters. Redis AUTH with in-transit encryption disabled for clusters (Option A) is not secure, and it can expose Redis clusters to the risk of unauthorized access. Redis AUTH with At-Rest encryption, enabled for clusters (Option E) provides encryption only at rest and not during transit, so it will not ensure secure access from an EC2 instance in a different VPC. Redis AUTH with in-transit encryption enabled for clusters (Option C) provides encryption during transit but does not ensure secure access to Redis clusters.