Access AWS Redis through Encrypted Communication Channel

At Amazon ElastiCache for Redis, we can enable in-transit encryption (TLS) while creating a Redis replication group. The engine version must be 3.2.6, 4.0.10 or later. This is the only requirement. But the fun fact is, it isn’t possible to access the Redis through redis-cli. To access the data in Redis, we have to use clients that work with Secure Socket Layer (SSL) or Transport Layer Security (TLS). But redis-cli neither supports SSL nor TLS.

However, a quick solution is to create an SSL tunnel to the redis using stunnel. This program is designed to work as an SSL encryption wrapper between remote client and local/remote server. We can use it to add SSL functionality to almost any daemon without any changes in its code.

That’s the theoretical part. We will setup SSL tunnel to access Redis on an Ubuntu server. Let’s install some necessary packages:

$ sudo apt update
$ sudo apt install redis stunnel -y

Now we will write a configuration file for stunnel. Let’s create a file:

$ sudo touch /etc/stunnel/stunnel.conf

Please paste the following lines at this file. Here we are mapping our local 6379 port to the Redis node’s 6379 port. Please don’t forget to do the necessary changes.

[redis-cli]
client = yes
accept = localhost:6379
connect = <aws_redis_master_host>:6379

Finally, we will start stunnel with our configuration file to take effect, using this command:

$ sudo stunnel /etc/stunnel/stunnel.conf

If everything is fine, then we should see a successful message.

stunnel: LOG5[ui]: stunnel 5.44 on x86_64-pc-linux-gnu platform
stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.1.0g  2 Nov 2017
stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
stunnel: LOG5[ui]: Reading configuration from file /stunnel.conf
stunnel: LOG5[ui]: UTF-8 byte order mark not detected
stunnel: LOG5[ui]: FIPS mode disabled
stunnel: LOG4[ui]: Service [redis-cli] needs authentication to prevent MITM attacks
stunnel: LOG5[ui]: Configuration successful

That’s all. Let’s connect to the Redis with the following command:

$ redis-cli -c -h localhost -p 6379 -a <SomeSecretPassword>

Let’s try to access our data.

localhost:6379> PING
PONG
localhost:6379> SET mykey "Hello"
OK
localhost:6379> GET mykey
"Hello"
localhost:6379> quit

That’s the quick workaround of turning any insecure TCP port into a secure encrypted port using stunnel. And dramatically this solves our problem of accessing AWS Redis.