Amazon ElastiCache - AWS GovCloud (US)

Amazon ElastiCache

Amazon ElastiCache makes it easy to set up, manage, and scale distributed in-memory cache environments in the AWS Cloud. It provides a high performance, resizable, and cost-effective in-memory cache, while removing complexity associated with deploying and managing a distributed cache environment. ElastiCache works with both the Redis and Memcached engines; to see which works best for you, see the Comparing Memcached and Redis topic in either user guide.

How Amazon ElastiCache Differs for AWS GovCloud (US)

  • All ElastiCache instances must be launched in an Amazon VPC.

  • ElastiCache clusters have a preferred weekly maintenance window. For information about the time blocks, see Cache Engine Version Management.

Documentation for Amazon ElastiCache

Amazon ElastiCache documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

  • You may store and process ITAR-regulated data in ElastiCache cache clusters only if the data is encrypted on the client side.

  • Unencrypted data stored in a cache cluster may not contain ITAR-regulated data.

  • ElastiCache metadata is not permitted to contain ITAR-regulated data. This metadata includes all the configuration data that you enter when creating and maintaining your ElastiCache clusters.

  • Do not enter ITAR-regulated data in the following fields:

    • Cluster instance identifier

    • Cluster name

    • Cluster snapshot name

    • Cluster security group name

    • Cluster security group description

    • Cluster parameter group name

    • Cluster parameter group description

    • Cluster subnet group name

    • Cluster subnet group description

    • Replication group name

    • Replication group description

If you are processing ITAR-regulated data with ElastiCache, follow these guidelines in order to maintain ITAR compliance:

  • To secure ITAR-regulated data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.

    • For example, if you're running an application server on an Amazon EC2 instance that connects to an ElastiCache cluster, a non-U.S. person could reconfigure the DNS to redirect ITAR-regulated data out of the VPC and into any server that could possibly be outside of AWS GovCloud (US) Regions

    • To prevent this type of attack and to maintain ITAR compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see Network ACLs in the Amazon VPC User Guide.

  • For each cluster that contains ITAR-regulated data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from AWS GovCloud (US) Regions or other ITAR-controlled environments to ITAR-controlled clusters.

ElastiCache requires the use of the SSL (HTTPS) endpoint for service API calls. For a list of endpoints, see Service Endpoints.