Amazon ElastiCache for Redis
ElastiCache for Redis User Guide (API Version 2015-02-02)

ElastiCache for Redis Compliance

In this section, you can find the compliance requirements and controls offered when using Amazon ElastiCache for Redis.

Self-Service Security Updates for Compliance

ElastiCache offers a self-service software update feature called Service Updates via the Console, API and CLI. Using this feature, you can manage security updates on your Redis clusters on-demand and in real-time. This feature allows you to control when you update Redis clusters with the latest required security fixes, minimizing the impact on your business.

Security updates are released via the Service Updates feature. They are specified by the Update Type field of value security update. The Service Update has corresponding Severity and Recommended Apply by Date fields. In order to maintain compliance of your Redis clusters, you must apply the available updates by the Recommended Apply by Date. The field SLA Met reflects your Redis cluster’s compliance status.

Note

If you do not apply the Service Update by the recommended date or when the Service Update expires, ElastiCache will not take any action to apply the update on your behalf.

You will be notified of the Service Updates applicable to your Redis clusters via an announcement on the Redis console, email, Amazon SNS, CloudWatch events and Personal Health Dashboard. For more information on Self-Service Maintenance see Self-Service Updates in Amazon ElastiCache.

 

CloudWatch events and Personal Health Dashboard are not supported in the following regions:

  • us-gov-west-1

  • us-gov-east-1

  • cn-north-1

  • cn-northwest-1

ElastiCache for Redis FedRAMP Compliance

The AWS FedRAMP Compliance program includes Amazon ElastiCache for Redis as a FedRAMP-authorized service. If you are a federal or commercial customer, you can use the service to process and store sensitive workloads in AWS US East and US West with data up to the moderate impact level. You can use the service for sensitive workloads in the AWS GovCloud (US) Region’s authorization boundary with data up to the high impact level.

You can request access to the AWS FedRAMP Security Packages through the FedRAMP PMO or your AWS Sales Account Manager or, they can be downloaded through AWS Artifact at AWS Artifact.

Requirements

To enable FedRAMP support on your ElastiCache for Redis cluster, your cluster and nodes within the cluster must satisfy the following requirements.

  • Engine version requirements – Your cluster must be running ElastiCache for Redis 3.2.6, 4.0.10 and later for both cluster mode enabled and disabled to qualify for FedRAMP compliance.

  • Node type requirements – Your cluster must be running a current-generation node type — M4, M5, T2, R4 or R5. For more information, see the following:

  • FIPS Endpoints requirements – Your ElastiCache for Redis can be created using the FIPS endpoints available in the following regions:.

    Region Name/Region FIPS Endpoint

    US East (Ohio) Region

    us-east-2

    elasticache-fips.us-east-2.amazonaws.com

    US East (N. Virginia) Region

    us-east-1

    elasticache-fips.us-east-1.amazonaws.com

    US West (N. California) Region

    us-west-1

    elasticache-fips.us-west-1.amazonaws.com

    US West (Oregon) Region

    us-west-2

    elasticache-fips.us-west-2.amazonaws.com

    AWS GovCloud (US-West)

    us-gov-west-1

    elasticache-fips.us-gov-west-1.amazonaws.com
  • Security Updates Requirement – You must regularly update your Redis cluster by the Recommended Apply by Date. You can update the cluster in real-time and on-demand to ensure no impact to your business. For more information, see Self-Service Updates in Amazon ElastiCache.

HIPAA Eligibility

The AWS HIPAA Compliance program includes Amazon ElastiCache for Redis as a HIPAA eligible service.

To use ElastiCache for Redis in compliance with HIPAA, you need to execute a Business Associate Agreement (BAA) with AWS. In addition, your cluster and the nodes within your cluster must satisfy the requirements for engine version, node type, and data security listed following.

Requirements

To enable HIPAA support on your ElastiCache for Redis cluster, your cluster and nodes within the cluster must satisfy the following requirements.

By implementing these requirements, ElastiCache for Redis can be used to store, process, and access Protected Health Information (PHI) in compliance with HIPAA.

For general information about AWS Cloud and HIPAA eligibility, see the following:

ElastiCache for Redis PCI DSS Compliance

The AWS PCI DSS Compliance program includes Amazon ElastiCache for Redis as a PCI-compliant service. The PCI DSS 3.2 Compliance Package can be downloaded through AWS Artifact. For more information, see AWS PCI DSS Compliance Program.

Requirements

To enable PCI DSS support on your ElastiCache for Redis cluster, your cluster and nodes within the cluster must satisfy the following requirements.

  • Engine version requirements – Your cluster must be running ElastiCache for Redis 3.2.6, 4.0.10 and later for both cluster mode enabled and disabled.

  • Node type requirements – Your cluster must be running a current-generation node type— M4, M5, T2, R4 or R5. For more information, see the following:

  • Security Updates Requirement – You must regularly update your Redis cluster by the Recommended Apply by Date. You can update the cluster in real-time and on-demand to ensure no impact to your business. For more information, see Self-Service Updates in Amazon ElastiCache.

ElastiCache for Redis also offers Data Security Controls to further secure the cluster to store, process, and transmit sensitive financial data like Customer Cardholder Data (CHD) when using the service.

Create and Seed a New Compliant Cluster

To create a compliant cluster, create a new cluster and make sure that your choices fulfill the requirements for the compliance you want. These requirements can include engine version, node type, encryption, and if needed FIPS endpoints. If you choose, you can seed a new compliant cluster with data from an existing cluster as you're creating it. For more information, see the following:

More Information

For general information about AWS Cloud compliance, see the following: