Amazon ElastiCache
User Guide (API Version 2014-07-15)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Controlling ElastiCache Access with IAM

ElastiCache allows you to control access to your cache clusters using cache security groups. A cache security group acts like a firewall controlling network access to your cache cluster.

Important

ElastiCache uses cache security groups to control who has access to specific ElastiCache cache clusters. There's no way in the IAM system to allow or deny access to a specific cache cluster.

For more information about using security groups with ElastiCache, refer to the Amazon ElastiCache User Guide.

About IAM

Amazon ElastiCache integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:

  • Create users and groups under your AWS account

  • Easily share your AWS resources between the users in your AWS account

  • Assign unique security credentials to each user

  • Control each user's access to services and resources

  • Get a single bill for all users in your AWS account

For example, you can use IAM with ElastiCache to control which Users in your AWS Account can create or modify cache clusters for your AWS Account.

For more information about IAM, see the following:

For more information on using IAM with ElastiCache, see Controlling ElastiCache Access with IAM.

ElastiCache Security Groups and IAM

Using IAM with ElastiCache doesn't change how you use ElastiCache cache security groups to grant access to cache clusters. However, you can use IAM policies to specify which ElastiCache actions a User in your AWS Account can use with ElastiCache resources in general. Because you can't specify a particular cache cluster in the policy, you must specify * as the resource to indicate all cache clusters in the AWS Account.

Example

You could create a policy that gives the Developers group permission to use only these APIs: CreateCacheCluster, DescribeCacheClusters, ModifyCacheCluster, RebootCacheCluster, DeleteCacheCluster, DescribeEvents. They could then use those APIs with any cache cluster that belongs to your AWS Account.


For examples of IAM policies that cover ElastiCache actions, see Example Policies for ElastiCache.

No ElastiCache ARNs

Because you can't specify a particular ElastiCache resource in an IAM policy, ElastiCache has no ARNs. When writing a policy to control access to ElastiCache actions, you use * as the resource. For more information about ARNs, go to ARNs in the Using IAM documentation.

ElastiCache Actions

In an IAM policy, you can specify any and all actions that ElastiCache offers. Each action name must be prefixed with the lowercase string elastiCache:. For example: elastiCache:ModifyCacheCluster, elastiCache:DescribeCacheCluster, or elastiCache:* (for all ElastiCache actions). For a list of the actions, refer to the Query API action names in the Amazon ElastiCache API Reference.

ElastiCache Keys

ElastiCache implements the following policy keys, but no others. For more information about policy keys, go to Condition in the in the Using IAM documentation.

AWS-Wide Policy Keys

  • aws:CurrentTime—To check for date/time conditions.

  • aws:EpochTime—To check for date/time conditions using a date in epoch or UNIX time.

  • aws:principaltype—To check the type of principal (user, account, federated user, etc.) for the current request.

  • aws:SecureTransport—To check whether the request was sent using SSL. For services that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport key has no meaning.

  • aws:SourceArn—To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services. For more information, see Amazon Resource Name (ARN) under "Element Descriptions" in the Amazon Simple Queue Service Developer Guide.)

  • aws:SourceIp—To check the IP address of the requester. Note that if you use aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated.

  • aws:UserAgent—To check the client application that made the request.

  • aws:userid—To check the user ID of the requester.

  • aws:username—To check the user name of the requester, if available.

Note

Key names are case sensitive.

Example Policies for ElastiCache

This section shows a few simple policies for controlling user access to Amazon ElastiCache.

Note

In the future, ElastiCache might add new actions that should logically be included in one of the following policies, based on the policy’s stated goals.

Example 1: Allow a Network Admin group to only be able to access the APIs related to ElastiCache security groups

In this example, we create a policy that gives access to the relevant actions and attach it to the group. The resource is stated as "*", because you can't specify a particular ElastiCache resource in an IAM policy.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":[
          "elasticache:CreateCacheSecurityGroup",
          "elasticache:DeleteCacheSecurityGroup",
          "elasticache:DescribeCacheSecurityGroup",
          "elasticache:AuthorizeCacheSecurityGroupIngress",
          "elasticache:RevokeCacheSecurityGroupIngress"],
      "Resource":"*"
      }
   ]
}

Example 2: Allow managers to only be able to list the current ElastiCache resources in the AWS Account

In this example, we create a policy that lets managers use the ElastiCache actions with Describe in the name.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":"elasticache:Describe*",
      "Resource":"*"
      }
   ]
}

Example 3: Allow a system administrator to access a select set of ElastiCache actions

In this example, we create a policy that gives access to the relevant actions for system administrators and attach it to the group. As with the other examples, the resource is stated as "*", because you can't specify a particular ElastiCache resource in an IAM policy.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":[
          "elasticache:ModifyCacheCluster",
          "elasticache:RebootCacheCluster",
          "elasticache:DescribeCacheClusters",
          "elasticache:DescribeEvents",
          "elasticache:ModifyCacheParameterGroup",
          "elasticache:DescribeCacheParameterGroups",
          "elasticache:DescribeCacheParameters",
          "elasticache:ResetCacheParameterGroup",
          "elasticache:DescribeEngineDefaultParameters"],
      "Resource":"*"
      }
   ]
}

Failure to Retrieve Account Attributes

Recent changes to ElastiCache may cause an error for some IAM users that were set up with permissions based on the ElastiCache Full Access policy templates. The error may display "Failed to retrieve account attributes, certain console functions may be impaired." shown at the top of the page or "Error calling EC2.DescribeSecurityGroups". The error is caused by the console invoking actions that have not explicitly been given permissions in the ElastiCache Full Access policies.

In order to resolve this issue, your IAM administrator must update the IAM user's policy document to allow two additional Amazon EC2 actions: ec2:DescribeAccountAttributes and ec2:DescribeSecurityGroups. You must make this change for any IAM user or group that was assigned a policy that was based on the ElastiCache Full Access policy templates.

For example, the following code is the default policy document for the ElastiCache Full Access policy template.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "elasticache:*",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:DescribeAlarms",
                "sns:ListTopics",
                "sns:ListSubscriptions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Add the two additional actions stated above to get the following policy document that will give permission to the console to invoke the needed actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "elasticache:*",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeSecurityGroups",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:DescribeAlarms",
                "sns:ListTopics",
                "sns:ListSubscriptions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

For information about updating IAM policies, see Managing IAM Policies.