[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled [ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled [ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled [ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest [ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit [ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH [ElastiCache.7] ElastiCache clusters should not use the default subnet group

Amazon ElastiCache controls

These controls are related to ElastiCache resources.

These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.

[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled

Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5)

Category: Recover > Resilience > Backups enabled

Severity: High

Resource type: AWS::ElastiCache::CacheCluster

AWS Config rule: elasticache-redis-cluster-automatic-backup-check

Schedule type: Periodic

Parameters:

Parameter	Description	Type	Allowed custom values	Security Hub default value
`snapshotRetentionPeriod`	Minimum snapshot retention period in days	Integer	`1` to `35`	`1`

This control evaluates if an Amazon ElastiCache for Redis cluster has automatic backups scheduled. The control fails if the SnapshotRetentionLimit for the Redis cluster is less than the specified time period. Unless you provide a custom parameter value for the snapshot retention period, Security Hub uses a default value of 1 day.

Amazon ElastiCache for Redis clusters can back up their data. You can use the backup to restore a cluster or seed a new cluster. The backup consists of the cluster's metadata, along with all of the data in the cluster. All backups are written to Amazon Simple Storage Service (Amazon S3), which provides durable storage. You can restore your data by creating a new Redis cluster and populating it with data from a backup. You can manage backups using the AWS Management Console, the AWS Command Line Interface (AWS CLI), and the ElastiCache API.

Remediation

To schedule automatic backups on an ElastiCache for Redis cluster, see Scheduling automatic backups in the Amazon ElastiCache User Guide.

[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled

Related requirements: NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5)

Category: Identify > Vulnerability, patch, and version management

Severity: High

Resource type: AWS::ElastiCache::CacheCluster

AWS Config rule: elasticache-auto-minor-version-upgrade-check

Schedule type: Periodic

Parameters: None

This control evaluates whether ElastiCache for Redis automatically applies minor version upgrades to cache clusters. This control fails if ElastiCache for Redis cache clusters do not have minor version upgrades automatically applied.

AutoMinorVersionUpgrade is a feature that you can turn on in ElastiCache for Redis to have your cache clusters automatically upgraded when a new minor cache engine version is available. These upgrades might include security patches and bug fixes. Staying up-to-date with patch installation is an important step in securing systems.

Remediation

To apply automatic minor version upgrades to an existing ElastiCache for Redis cache cluster, see Upgrading engine versions in the Amazon ElastiCache User Guide.

[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled

Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)

Category: Recover > Resilience > High availability

Severity: Medium

Resource type: AWS::ElastiCache::ReplicationGroup

AWS Config rule: elasticache-repl-grp-auto-failover-enabled

Schedule type: Periodic

Parameters: None

This control checks if ElastiCache for Redis replication groups have automatic failover enabled. This control fails if automatic failover isn't enabled for a Redis replication group.

When automatic failover is enabled for a replication group, the role of primary node will automatically fail over to one of the read replicas. This failover and replica promotion ensure that you can resume writing to the new primary after promotion is complete, which reduces overall downtime in case of failure.

Remediation

To enable automatic failover for an existing ElastiCache for Redis replication group,, see Modifying an ElastiCache cluster in the Amazon ElastiCache User Guide. If you use the ElastiCache console, set Auto failover to enabled.

[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)

Category: Protect > Data Protection > Encryption of data-at-rest

Severity: Medium

Resource type: AWS::ElastiCache::ReplicationGroup

AWS Config rule: elasticache-repl-grp-encrypted-at-rest

Schedule type: Periodic

Parameters: None

This control checks if ElastiCache for Redis replication groups are encrypted at rest. This control fails if an ElastiCache for Redis replication group isn't encrypted at rest.

Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. ElastiCache for Redis replication groups should be encrypted at rest for an added layer of security.

Remediation

To configure at-rest encryption on an ElastiCache for Redis replication group, see Enabling at-rest encryption in the Amazon ElastiCache User Guide.

[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit

Related requirements: NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6)

Category: Protect > Data Protection > Encryption of data-in-transit

Severity: Medium

Resource type: AWS::ElastiCache::ReplicationGroup

AWS Config rule: elasticache-repl-grp-encrypted-in-transit

Schedule type: Periodic

Parameters: None

This control checks if ElastiCache for Redis replication groups are encrypted in transit. This control fails if an ElastiCache for Redis replication group isn't encrypted in transit.

Encrypting data in transit reduces the risk that an unauthorized user can eavesdrop on network traffic. Enabling encryption in transit on an ElastiCache for Redis replication group encrypts your data whenever it's moving from one place to another, such as between nodes in your cluster or between your cluster and your application.

Remediation

To configure in-transit encryption on an ElastiCache for Redis replication group, see Enabling in-transit encryption in the Amazon ElastiCache User Guide.

[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH

Related requirements: NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6

Category: Protect > Secure access management

Severity: Medium

Resource type: AWS::ElastiCache::ReplicationGroup

AWS Config rule: elasticache-repl-grp-redis-auth-enabled

Schedule type: Periodic

Parameters: None

This control checks if ElastiCache for Redis replication groups have Redis AUTH enabled. The control fails for an ElastiCache for Redis replication group if the Redis version of its nodes is below 6.0 and AuthToken isn't in use.

When you use Redis authentication tokens, or passwords, Redis requires a password before allowing clients to run commands, which improves data security. For Redis 6.0 and later versions, we recommend using Role-Based Access Control (RBAC). Since RBAC is not supported for Redis versions earlier than 6.0, this control only evaluates versions which can't use the RBAC feature.

Remediation

To use Redis AUTH on an ElastiCache for Redis replication group, see Modifying the AUTH token on an existing ElastiCache for Redis cluster in the Amazon ElastiCache User Guide.

[ElastiCache.7] ElastiCache clusters should not use the default subnet group

Related requirements: NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)

Category: Protect > Secure network configuration

Severity: High

Resource type: AWS::ElastiCache::CacheCluster

AWS Config rule: elasticache-subnet-group-check

Schedule type: Periodic

Parameters: None

This control checks if ElastiCache clusters are configured with a custom subnet group. The control fails for an ElastiCache cluster if CacheSubnetGroupName has the value default.

When launching an ElastiCache cluster, a default subnet group is created if one doesn't exist already. The default group uses subnets from the default Virtual Private Cloud (VPC). We recommend using custom subnet groups that are more restrictive of the subnets that the cluster resides in, and the networking that the cluster inherits from the subnets.

Remediation

To create a new subnet group for an ElastiCache cluster, see Creating a subnet group in the Amazon ElastiCache User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon EKS controls

Elastic Beanstalk controls