Use Entra ID authentication with cache instances

Security · Azure Cache for Redis · Rule · 2024_06 · Critical

Use Entra ID authentication with cache instances.

Description

Azure Cache for Redis by default requires that all requests be authenticated. Two methods are supported for authenticating and authorizing requests to Redis cache instances.

• Access keys - Cryptographic keys are secret similar to a shared password, and as a result have a number of limitations that impact security and maintainability.
  • Access keys have a long number of characters, so are not easily guessable but once exposed grant full access.
  • Auditing based on user or application is not possible when using access keys.
  • Each access key must be stored securely within any applications or scripts that use it. This can introduce additional dependencies and code to maintain, that might not normally be required if using Entra ID. Azure Key Vault provides a secure storage for access keys as a secret.
  • You have two keys (primary/ secondary) to manage, each should be rotated independently on a regular basis. Rotation should occur regularly using automation with a documented manual process as a backup.
• Microsoft Entra ID - An OAuth2 access token issued by Microsoft Entra ID provides advantages over access keys including:
  • More granular access control instead of only full access.
  • Strong identity protection methods such as Multi-Factor Authentication (MFA) and conditional access.
  • Central management and auditing.

Currently Redis Enterprise and Redis Enterprise Flash tiers are not supported. Entra ID authentication is supported on Basic, Standard, and Premium tiers.

Recommendation

Consider configuring and using Microsoft Entra ID to authenticate all connections to Redis cache instances.

Examples

Configure with Azure template

To deploy cache instances that pass this rule:

• Set the properties.redisConfiguration.aad-enabled to "True".

For example:

Azure Template snippet

{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "redisVersion": "6",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "aad-enabled": "True",
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled"
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep

To deploy cache instances that pass this rule:

• Set the properties.redisConfiguration.aad-enabled to 'True'.

For example:

Azure Bicep snippet

resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: name
  location: location
  properties: {
    redisVersion: '6'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'aad-enabled': 'True'
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/cache/redis:<version>

To use the latest version:

br/public:avm/res/cache/redis:0.7.1

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Notes

Microsoft Entra ID based authentication isn't supported in the Enterprise/ Enterprise Flash tiers.

Links

• SE:05 Identity and access management
• Use Microsoft Entra ID for cache authentication
• Configure role-based access control with Data Access Policy
• Azure security baseline for Azure Cache for Redis
• IM-1: Use centralized identity and authentication system
• Azure resource deployment

Comments