diff --git a/internal/service/elasticache/replication_group.go b/internal/service/elasticache/replication_group.go
index 28e05b3abaa..8f653745471 100644
--- a/internal/service/elasticache/replication_group.go
+++ b/internal/service/elasticache/replication_group.go
@@ -126,6 +126,7 @@ func ResourceReplicationGroup() *schema.Resource {
 					"node_type",
 					"security_group_names",
 					"transit_encryption_enabled",
+					"transit_encryption_mode",
 					"at_rest_encryption_enabled",
 					"snapshot_arns",
 					"snapshot_name",
@@ -305,9 +306,13 @@ func ResourceReplicationGroup() *schema.Resource {
 			"transit_encryption_enabled": {
 				Type:     schema.TypeBool,
 				Optional: true,
-				ForceNew: true,
 				Computed: true,
 			},
+			"transit_encryption_mode": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice([]string{"preferred", "required"}, false),
+			},
 			"user_group_ids": {
 				Type:          schema.TypeSet,
 				Optional:      true,
@@ -348,6 +353,9 @@ func ResourceReplicationGroup() *schema.Resource {
 					diff.HasChange("num_node_groups") ||
 					diff.HasChange("replicas_per_node_group")
 			}),
+			customdiff.ForceNewIf("transit_encryption_enabled", func(_ context.Context, d *schema.ResourceDiff, meta interface{}) bool {
+				return verify.SemVerLessThan(d.Get("engine_version_actual").(string), "7.0.5")
+			}),
 			verify.SetTagsDiff,
 		),
 	}
@@ -463,6 +471,10 @@ func resourceReplicationGroupCreate(ctx context.Context, d *schema.ResourceData,
 		input.TransitEncryptionEnabled = aws.Bool(d.Get("transit_encryption_enabled").(bool))
 	}
 
+	if v, ok := d.GetOk("transit_encryption_mode"); ok {
+		input.TransitEncryptionMode = aws.String(v.(string))
+	}
+
 	if _, ok := d.GetOk("at_rest_encryption_enabled"); ok {
 		input.AtRestEncryptionEnabled = aws.Bool(d.Get("at_rest_encryption_enabled").(bool))
 	}
@@ -653,6 +665,7 @@ func resourceReplicationGroupRead(ctx context.Context, d *schema.ResourceData, m
 
 		d.Set("at_rest_encryption_enabled", c.AtRestEncryptionEnabled)
 		d.Set("transit_encryption_enabled", c.TransitEncryptionEnabled)
+		d.Set("transit_encryption_mode", c.TransitEncryptionMode)
 
 		if c.AuthTokenEnabled != nil && !aws.BoolValue(c.AuthTokenEnabled) {
 			d.Set("auth_token", nil)
@@ -808,6 +821,16 @@ func resourceReplicationGroupUpdate(ctx context.Context, d *schema.ResourceData,
 			}
 		}
 
+		if d.HasChange("transit_encryption_enabled") {
+			input.TransitEncryptionEnabled = aws.Bool(d.Get("transit_encryption_enabled").(bool))
+			requestUpdate = true
+		}
+
+		if d.HasChange("transit_encryption_mode") {
+			input.TransitEncryptionMode = aws.String(d.Get("transit_encryption_mode").(string))
+			requestUpdate = true
+		}
+
 		if requestUpdate {
 			_, err := conn.ModifyReplicationGroupWithContext(ctx, input)
 			if err != nil {
diff --git a/website/docs/r/elasticache_replication_group.html.markdown b/website/docs/r/elasticache_replication_group.html.markdown
index 9f740118fd1..3792ae8d14a 100644
--- a/website/docs/r/elasticache_replication_group.html.markdown
+++ b/website/docs/r/elasticache_replication_group.html.markdown
@@ -212,6 +212,7 @@ The following arguments are optional:
 * `subnet_group_name` - (Optional) Name of the cache subnet group to be used for the replication group.
 * `tags` - (Optional) Map of tags to assign to the resource. Adding tags to this resource will add or overwrite any existing tags on the clusters in the replication group and not to the group itself. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 * `transit_encryption_enabled` - (Optional) Whether to enable encryption in transit.
+* `transit_encryption_mode` - (Optional) Valid values are `preferred` or `required`. When enabling encryption on an existing replication group, you must first set this to `preferred` before you can set it to `required`. Required when `transit_encryption_enabled` is `true`.
 * `user_group_ids` - (Optional) User Group ID to associate with the replication group. Only a maximum of one (1) user group ID is valid. **NOTE:** This argument _is_ a set because the AWS specification allows for multiple IDs. However, in practice, AWS only allows a maximum size of one.
 
 ### Log Delivery Configuration