AWS GovCloud (US)
User Guide

Amazon ElastiCache

The following list details the differences for using this service in the AWS GovCloud (US) Region compared to other AWS regions:

  • All ElastiCache instances must be launched in an Amazon VPC.

  • ElastiCache clusters have a preferred weekly maintenance window. For information about the time blocks, see Cache Engine Version Management.

For more information about ElastiCache, see the ElastiCache documentation.

ITAR Boundary

The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service in the AWS GovCloud (US) Region. You must comply with the boundaries in order to maintain ITAR compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

  • You may store and process ITAR-regulated data in ElastiCache cache clusters only if the data is encrypted on the client side.

  • Unencrypted data stored in a cache cluster may not contain ITAR-regulated data.

  • ElastiCache metadata is not permitted to contain ITAR-regulated data. This metadata includes all the configuration data that you enter when creating and maintaining your ElastiCache clusters.

  • Do not enter ITAR-regulated data in the following fields:

    • Cluster instance identifier

    • Cluster name

    • Cluster snapshot name

    • Cluster security group name

    • Cluster security group description

    • Cluster parameter group name

    • Cluster parameter group description

    • Cluster subnet group name

    • Cluster subnet group description

    • Replication group name

    • Replication group description

If you are processing ITAR-regulated data with ElastiCache, follow these guidelines in order to maintain ITAR compliance:

  • To secure ITAR-regulated data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.

    • For example, if you're running an application server on an Amazon EC2 instance that connects to an ElastiCache cluster, a non-U.S. person could reconfigure the DNS to redirect ITAR-regulated data out of the VPC and into any server that could possibly be outside of the AWS GovCloud (US) Region.

    • To prevent this type of attack and to maintain ITAR compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see Network ACLs in the Amazon VPC User Guide.

  • For each cluster that contains ITAR-regulated data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US) Region or other ITAR-controlled environments to ITAR-controlled clusters.

ElastiCache requires the use of the SSL (HTTPS) endpoint for service API calls. For a list of endpoints, see AWS GovCloud (US) Endpoints.

On this page: