---
title: >-
  ElastiCache Redis replication groups should be encrypted with a
  customer-managed KMS key
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > ElastiCache Redis replication groups
  should be encrypted with a customer-managed KMS key
---

# ElastiCache Redis replication groups should be encrypted with a customer-managed KMS key
 
## Description{% #description %}

ElastiCache Redis replication groups should be encrypted using a customer-managed KMS key rather than the default AWS-managed key. Customer-managed keys provide full control over key rotation policies, access permissions via KMS key policies, and the ability to revoke or disable the key.

## Remediation{% #remediation %}

Create a new replication group with a customer-managed KMS key specified. Existing replication groups cannot have their encryption key changed after creation. For guidance, refer to [At-rest encryption in ElastiCache](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html).