diff --git a/main.tf b/main.tf
index 6a9d354..59a8055 100644
--- a/main.tf
+++ b/main.tf
@@ -186,6 +186,7 @@ resource "aws_elasticache_replication_group" "default" {
   apply_immediately          = var.apply_immediately
   data_tiering_enabled       = var.data_tiering_enabled
   auto_minor_version_upgrade = var.auto_minor_version_upgrade
+  auth_token_update_strategy = var.auth_token_update_strategy
 
   dynamic "log_delivery_configuration" {
     for_each = var.log_delivery_configuration
diff --git a/variables.tf b/variables.tf
index 58208eb..3da1c76 100644
--- a/variables.tf
+++ b/variables.tf
@@ -278,3 +278,14 @@ variable "insufficient_data_actions" {
   type        = list(string)
   default     = []
 }
+
+variable "auth_token_update_strategy" {
+  description = "Strategy to use when updating the auth_token. Valid values: SET, ROTATE, DELETE."
+  type        = string
+  default     = "ROTATE"
+
+  validation {
+    condition     = contains(["SET", "ROTATE", "DELETE"], var.auth_token_update_strategy)
+    error_message = "auth_token_update_strategy must be one of SET, ROTATE, or DELETE if auth_token is set."
+  }
+}