Amazon ElastiCache
User Guide (API Version 2014-09-30)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Controlling ElastiCache Access with IAM

ElastiCache allows you to control access to your cache clusters using cache security groups. A cache security group acts like a firewall controlling network access to your cache cluster.

Important

ElastiCache uses cache security groups to control who has access to specific ElastiCache cache clusters. There's no way in the IAM system to allow or deny access to a specific cache cluster.

For more information about using security groups with ElastiCache, refer to the Amazon ElastiCache User Guide.

About IAM

Amazon ElastiCache integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:

  • Create users and groups under your AWS account

  • Easily share your AWS resources between the users in your AWS account

  • Assign unique security credentials to each user

  • Control each user's access to services and resources

  • Get a single bill for all users in your AWS account

For example, you can use IAM with ElastiCache to control which Users in your AWS Account can create or modify cache clusters for your AWS Account.

For more information about IAM, see the following:

For more information on using IAM with ElastiCache, see Controlling ElastiCache Access with IAM.

ElastiCache Security Groups and IAM

Using IAM with ElastiCache doesn't change how you use ElastiCache cache security groups to grant access to cache clusters. However, you can use IAM policies to specify which ElastiCache actions a User in your AWS Account can use with ElastiCache resources in general. Because you can't specify a particular cache cluster in the policy, you must specify * as the resource to indicate all cache clusters in the AWS Account.

Example

You could create a policy that gives the Developers group permission to use only these APIs: CreateCacheCluster, DescribeCacheClusters, ModifyCacheCluster, RebootCacheCluster, DeleteCacheCluster, DescribeEvents. They could then use those APIs with any cache cluster that belongs to your AWS Account.


For examples of IAM policies that cover ElastiCache actions, see Example Policies for ElastiCache.

ElastiCache Resources and IAM

When you create an IAM policy for ElastiCache, you can't use an ElastiCache Amazon Resourc Name (ARN) to scope your policy to particular ElastiCache resources. In the Resource section of the policy, you must use the wildcard character, "*", which applies the policy permissions to all your ElastiCache resources. Instead, you scope your policy to specific actions, as described following.

For more information about IAM, go to the Using IAM documentation.

ElastiCache Actions and IAM

When you create an IAM policy for ElastiCache, your policy is scoped to specific actions, not resources. The policy is attached to specific users or groups and applies the policy permissions to all your ElastiCache resources. In the Action portion of the IAM policy for ElastiCache, you scope your policy by specifying any or all ElastiCache actions that you want to control access to. When writing a policy to control access to ElastiCache actions, use "elastiCache:actionName" to specify which action or actions the policy is controlling, for example: "elastiCache:DescribeCacheClusters". To control access to multiple actions, list the actions in a comma delimited list. Each action name in the list must be prefixed with elastiCache:, for example: "elastiCache:ModifyCacheCluster", "elastiCache:DescribeCacheClusters".

For a list of all ElastiCache actions, go to the Query API Actions in the Amazon ElastiCache API Reference.

Example Action Patterns

Following are some examples that show patterns you can use to specify actions in an IAM policy.

  • To control access to a single specific ElastiCache action, specify the ElastiCache action name.

    "Action":
        "elastiCache:CreateCacheCluster"
  • To control access to two or more ElastiCache actions, specify each action name individually in a comma delimited list within brackets. Note that each action in the list is prefaced with elastiCache:.

    "Action":[
        "elastiCache:CreateCacheCluster",
        "elastiCache:CreateReplicationGroup"]
  • To control access to all actions that begin with the same characters, use the wildcard (*) as part of the action name. This example is for all ElastiCache actions that begin with "Create", such as CreateCacheCluster, CreateReplicationGroup, CreateSnapshot, and so on.

    "Action":
        "elastiCache:Create*"
  • To control access to all ElastiCache actions, use the wildcard (*) as the action name.

    "Action":
        "elastiCache:*"
  • To control access to a group of actions and specific actions, you can mix wild carded actions with specific actions in a comma delimited list enclosed in braces.

    "Action":[
        "elastiCache:Create*",
        "elastiCache:Delete*",                    
        "elastiCache:RemoveTagsFromResource",
        "elastiCache:Describe*"]

For example IAM policies for ElastiCache, go to the section Example Policies for ElastiCache below.

ElastiCache Keys

ElastiCache implements the following policy keys, but no others. For more information about policy keys, go to Condition in the in the Using IAM documentation.

AWS-Wide Policy Keys

  • aws:CurrentTime—To check for date/time conditions.

  • aws:EpochTime—To check for date/time conditions using a date in epoch or UNIX time.

  • aws:principaltype—To check the type of principal (user, account, federated user, etc.) for the current request.

  • aws:SecureTransport—To check whether the request was sent using SSL. For services that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport key has no meaning.

  • aws:SourceArn—To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services. For more information, see Amazon Resource Name (ARN) under "Element Descriptions" in the Amazon Simple Queue Service Developer Guide.)

  • aws:SourceIp—To check the IP address of the requester. Note that if you use aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated.

  • aws:UserAgent—To check the client application that made the request.

  • aws:userid—To check the user ID of the requester.

  • aws:username—To check the user name of the requester, if available.

Note

Key names are case sensitive.

Example Policies for ElastiCache

This section shows a few simple policies for controlling user access to Amazon ElastiCache.

Note

In the future, ElastiCache might add new actions that should logically be included in one of the following policies, based on the policy’s stated goals.

Example 1: Allow a Network Admin group to only be able to access the APIs related to ElastiCache security groups

In this example, we create a policy that gives access to the relevant actions and attach it to the group. The resource is stated as "*", because you can't specify a particular ElastiCache resource in an IAM policy.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":[
          "elasticache:CreateCacheSecurityGroup",
          "elasticache:DeleteCacheSecurityGroup",
          "elasticache:DescribeCacheSecurityGroup",
          "elasticache:AuthorizeCacheSecurityGroupIngress",
          "elasticache:RevokeCacheSecurityGroupIngress"],
      "Resource":"*"
      }
   ]
}

Example 2: Allow managers to only be able to list the current ElastiCache resources in the AWS Account

In this example, we create a policy that lets managers use the ElastiCache actions with Describe in the name.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":"elasticache:Describe*",
      "Resource":"*"
      }
   ]
}

Example 3: Allow a system administrator to access a select set of ElastiCache actions

In this example, we create a policy that gives access to the relevant actions for system administrators and attach it to the group. As with the other examples, the resource is stated as "*", because you can't specify a particular ElastiCache resource in an IAM policy.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":[
          "elasticache:ModifyCacheCluster",
          "elasticache:RebootCacheCluster",
          "elasticache:DescribeCacheClusters",
          "elasticache:DescribeEvents",
          "elasticache:ModifyCacheParameterGroup",
          "elasticache:DescribeCacheParameterGroups",
          "elasticache:DescribeCacheParameters",
          "elasticache:ResetCacheParameterGroup",
          "elasticache:DescribeEngineDefaultParameters"],
      "Resource":"*"
      }
   ]
}

Failure to Retrieve Account Attributes

Recent changes to ElastiCache may cause an error for some IAM users that were set up with permissions based on the ElastiCache Full Access AWS managed policies. The error may display "Failed to retrieve account attributes, certain console functions may be impaired." shown at the top of the page or "Error calling EC2.DescribeSecurityGroups". The error is caused by the console invoking actions that have not explicitly been given permissions in the ElastiCache Full Access policies.

In order to resolve this issue, your IAM administrator must update the IAM user's policy document to allow two additional Amazon EC2 actions: ec2:DescribeAccountAttributes and ec2:DescribeSecurityGroups. You must make this change for any IAM user or group that was assigned a policy that was based on the ElastiCache Full Access AWS managed policies.

For example, the following code is the default policy document for the ElastiCache Full Access AWS managed policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticache:*",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:DescribeAlarms",
                "sns:ListTopics",
                "sns:ListSubscriptions"],
            "Resource":"*"
        }
    ]
}

Add the two additional actions stated above to get the following policy document that will give permission to the console to invoke the needed actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticache:*",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeSecurityGroups",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:DescribeAlarms",
                "sns:ListTopics",
                "sns:ListSubscriptions"],
            "Resource":"*"
        }
    ]
}

For information about updating IAM policies, see Managing IAM Policies.