- Knowledge Base
- Amazon Web Services
- Amazon ElastiCache
- ElastiCache Cluster In VPC
Ensure that all your Amazon ElastiCache cache clusters are provisioned within the EC2-VPC platform instead of EC2-Classic platform (outdated) for better flexibility and control over clusters security, advanced traffic routing, and high availability.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Creating and managing Amazon ElastiCache cache clusters using the EC2-VPC platform instead of EC2-Classic can bring multiple advantages such as better networking infrastructure (network isolation, cluster subnet groups, and Elastic IP addresses), much more flexible control over access security (network ACLs, VPC security group outbound traffic filtering), and the capability to run cache clusters on single-tenant hardware.
Audit
To determine the type of the EC2 platform (EC2-Classic or EC2-VPC) used to deploy your Amazon ElastiCache clusters, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
01 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.
01 For Redis cache clusters:
- In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.
- Click on the name (link) of the Redis cache cluster that you want to examine.
- Select the Network and security tab and check the Subnet group name attribute value, in the Connectivity section, to identify the name of the associated VPC subnet group. If the Subnet group name attribute does not have a value, the selected Redis cache cluster is not running within a Virtual Private Cloud (VPC), therefore, your cache cluster is using the outdated EC2-Classic platform.
01 For Memcached cache clusters:
- In the navigation panel, under Resources, choose Memcached caches to access the cache clusters created with Memcached.
- Click on the name (link) of the Memcached cache cluster that you want to examine.
- Select the Network and security tab and check the Subnet group name attribute value, in the Connectivity section, to identify the name of the associated VPC subnet group. If the Subnet group name attribute does not have a value, the selected Memcached cache cluster is not running within a VPC, therefore, your cache cluster is using the EC2-Classic platform.
01 Repeat steps no. 3 and 4 for each Amazon ElastiCache cluster provisioned within the current AWS region.
01 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 For Redis cache clusters:
- Run describe-replication-groups command (OSX/Linux/UNIX) to list the identifier (name) of each Redis replication group available in the selected AWS cloud region:
aws elasticache describe-replication-groups --region us-east-1 --output table --query 'ReplicationGroups[*].ReplicationGroupId'
- The command output should return a table with the requested resource names:
---------------------------------- | DescribeReplicationGroups | +--------------------------------+ | cc-production-redis-cluster | | cc-webapp-redis-cache-cluster | +--------------------------------+
- Run again describe-replication-groups command (OSX/Linux/UNIX) with the name of the replication group that you want to examine as the identifier parameter, to describe the name of the cache clusters provisioned for the selected replication group:
aws elasticache describe-replication-groups --region us-east-1 --replication-group-id cc-production-redis-cluster --query 'ReplicationGroups[*].MemberClusters | []'
- The command output should return the name of the member cache clusters:
[ "cc-production-redis-cluster-0001-001", "cc-production-redis-cluster-0001-002" ]
- Run describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Redis cache cluster that you want to examine as the identifier parameter, to describe the name of the VPC subnet group used by the selected cache cluster:
aws elasticache describe-cache-clusters --region us-east-1 --cache-cluster-id cc-production-redis-cluster-0001-001 --query 'CacheClusters[*].CacheSubnetGroupName'
- The command output should return the name of the associated subnet group:
[ "" ]
If the describe-cache-clusters command output returns an empty string (i.e. ""), as shown in the output example above, the selected Redis cache cluster is not running within a VPC subnet group, therefore, your cache cluster is using the EC2-Classic platform instead of EC2-VPC platform.
02 For Memcached cache clusters:
- Run describe-cache-clusters command (OSX/Linux/UNIX) to list the name of each Memcached cache cluster available in the selected AWS cloud region:
aws elasticache describe-cache-clusters --region us-east-1 --output table --query 'CacheClusters[*].CacheClusterId'
- The command output should return a table with the requested cluster names:
------------------------------------- | DescribeCacheClusters | +-----------------------------------+ | cc-production-memcache-cluster | | cc-backend-app-memcache-cluster | +-----------------------------------+
- Run describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Memcached cache cluster that you want to examine as the identifier parameter, to describe the name of the VPC subnet group used by the selected cache cluster:
aws elasticache describe-cache-clusters --region us-east-1 --cache-cluster-id cc-production-memcache-cluster --query 'CacheClusters[*].CacheSubnetGroupName'
- The command output should return the name of the associated subnet group:
[ "" ]
If the describe-cache-clusters command output returns an empty string (i.e. ""), as shown in the output example above, the selected Memcached cache cluster is not running within a VPC subnet group, therefore, your cache cluster is using the EC2-Classic platform.
03 Repeat steps no. 1 and 2 for each Amazon ElastiCache cluster provisioned in the selected AWS region.
04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Audit process for other regions.
Remediation / Resolution
To migrate your Amazon ElastiCache cache cluster to a Virtual Private Cloud (VPC), you must re-create your cache clusters within a VPC subnet group. To relaunch your cache clusters, perform the following actions:
Case A: Redis Cache ClustersUsing AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.
03 In the main navigation panel, under Resources, select Redis caches, and choose Create Redis cache to create a new Redis cache cluster.
- For Step 1 Cluster settings, perform the following actions:
- For Configuration, set Deployment option to Design your own cache and Creation method to Cluster cache.
- For Cluster mode, choose the cluster mode required for your application.
- For Cluster info, provide a unique name for the new cache cluster in the Name box. (Optional) Enter a short description in the Description - optional box.
- For Location, choose AWS Cloud. Choose whether or not to deploy the new cluster with a multi-AZ and/or failover configuration.
- For Cluster settings, select the Redis engine version from the Engine version dropdown list, choose the right parameter group from the Parameter groups list, select the appropriate Node type (must match the node type configured for the source cluster), and enter the number of replicas to provision in the Number of replicas box.
- For Connectivity, choose the IP version(s) that this cluster will support from the Network type dropdown list and select an existing VPC subnet group from the Subnet groups list. To create a new subnet group, choose Create a new subnet group and provide the required VPC information.
- For Availability Zone placements, you can configure placements for the supported Availability Zones (AZs).
- Choose Next to continue the setup process.
- For Step 2 Advanced settings, perform the following operations:
- For Security, check Enable under Encryption at rest and select an encryption key to enable encryption at rest, check Enable under Encryption in transit to enable encryption in transit, and choose Manage under Selected security groups to select the security groups necessary for controlling network access to your cluster.
- For Backup, check Enable automatic backups to enable automatic backups. Configure the Backup retention period and preferred Backup window.
- For Maintenance, set Maintenance window, check Enable under Auto upgrade minor versions to enable auto minor version upgrades, and choose an SNS topic for alert notifications from the Topic for Amazon SNS notification list.
- For Logs, check Enable under Slow logs and Engine logs to enable Redis engine logs and slow logs for teh new cluster. Choose the required Log format and Log destination type for each log type.
- (Optional) For Tags, you can create tags to search and filter your cache clusters or track your AWS costs.
- Choose Next to continue the setup.
- For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch your new Redis cache cluster using the EC2-VPC platform.
04 (Optional) To remove the source Redis cache cluster (EC2-Classic) from your AWS cloud account, perform the following actions:
- In the main navigation panel, under Resources, choose Redis caches.
- Select the Redis cache cluster that you want to remove, choose Actions, and select Delete.
- In the confirmation box, choose whether to create a final backup for the source cluster, type the name of the selected cluster in the required text box, then choose Delete to confirm the cluster removal.
05 Repeat steps no. 3 – 5 for each Redis cache cluster that you want to relaunch, available within the current AWS region.
06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Use the EC2-VPC platform to re-create your Redis cache cluster (replication group) with the create-replication-group command (OSX/Linux/UNIX). Set the VPC subnet group with the --cache-subnet-group-name command parameter:
aws elasticache create-replication-group --region us-east-1 --replication-group-id "cc-new-production-cache-cluster" --replication-group-description "Redis Cache Cluster for EC2-VPC Platform" --engine "redis" --num-cache-clusters 2 --cache-node-type "cache.r4.large" --cache-subnet-group-name "cc-redis-cache-sg"
02 The command output should return the information available for the new Redis cache cluster:
{ "ReplicationGroup": { "ReplicationGroupId": "cc-new-production-cache-cluster", "Description": "Redis Cache Cluster for EC2-VPC Platform", "GlobalReplicationGroupInfo": {}, "Status": "creating", "PendingModifiedValues": {}, "MemberClusters": [ "cc-new-production-cache-cluster-001", "cc-new-production-cache-cluster-002" ], ... "SnapshotRetentionLimit": 0, "SnapshotWindow": "06:00-07:00", "ClusterEnabled": false, "CacheNodeType": "cache.r4.large", "TransitEncryptionEnabled": false, "AtRestEncryptionEnabled": false, "ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-new-production-cache-cluster", "LogDeliveryConfigurations": [], "DataTiering": "disabled" } }
03 (Optional) To remove the source (non-compliant) Redis cache cluster from your AWS cloud account, run delete-replication-group command (OSX/Linux/UNIX):
aws elasticache delete-replication-group --region us-east-1 --replication-group-id cc-production-cache-cluster
04 The output should return the information available for the deleted Redis cache cluster:
{ "ReplicationGroup": { "ReplicationGroupId": "cc-production-cache-cluster", "Description": " ", "GlobalReplicationGroupInfo": {}, "Status": "deleting", "PendingModifiedValues": {}, "AutomaticFailover": "disabled", ... "SnapshotRetentionLimit": 0, "SnapshotWindow": "05:00-06:00", "TransitEncryptionEnabled": false, "AtRestEncryptionEnabled": false, "LogDeliveryConfigurations": [], "DataTiering": "disabled" } }
05 Repeat steps no. 1 – 4 for each Redis cache cluster that you want to relaunch, available in the selected AWS region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Remediation process for other regions.
Case B: Memcached Cache Clusters
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.
03 In the main navigation panel, under Resources, select Memcached caches, and choose Create Memcached cache to create a new Memcached cache cluster.
- For Step 1 Cluster settings, perform the following actions:
- For Choose a cluster creation method, set Deployment option to Design your own cache and Standard create.
- For Location select AWS Cloud.
- For Cluster info, provide a unique name for the new cache cluster in the Name box. (Optional) Enter a short description in the Description - optional box.
- For Cluster settings, select the Memcached engine version from the Engine version dropdown list, choose the right parameter group from the Parameter groups list, select the appropriate Node type (must match the node type configured for the source cluster), and enter the number of nodes to provision in the Number of nodes box.
- For Connectivity, choose the IP version(s) that this cluster will support from the Network type dropdown list and select an existing VPC subnet group from the Subnet groups list. To create a new subnet group, choose Create a new subnet group and provide the required VPC information.
- For Availability Zone placements, you can configure placements for the supported Availability Zones (AZs).
- Choose Next to continue the setup process.
- For Step 2 Advanced settings, perform the following operations:
- For Security, check Enable under Encryption in transit to enable encryption in transit, and choose Manage under Selected security groups to select the security groups required to control network access to your cluster.
- For Maintenance, set Maintenance window, and choose an SNS topic for alert notifications from the Topic for Amazon SNS notification dropdown list.
- (Optional) For Tags, you can create tags to search and filter your cache clusters or track your AWS costs.
- Choose Next to continue the setup.
- For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch your new Memcached cache cluster using the EC2-VPC platform.
04 (Optional) To remove the source Memcached cache cluster (EC2-Classic) from your AWS cloud account, perform the following actions:
- In the main navigation panel, under Resources, choose Memcached caches.
- Select the Memcached cache cluster that you want to remove, choose Actions, and select Delete.
- In the confirmation box, choose whether to create a final backup for the source cluster, type the name of the selected cluster in the required text box, then choose Delete to confirm the cluster removal.
05 Repeat steps no. 3 – 5 for each Memcached cache cluster that you want to relaunch, available within the current AWS region.
06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Use the EC2-VPC platform to re-create your Memcached cache cluster with the create-cache-cluster command (OSX/Linux/UNIX). Set the VPC subnet group with the --cache-subnet-group-name command parameter:
aws elasticache create-cache-cluster --region us-east-1 --cache-cluster-id "cc-new-production-memcache-cluster" --az-mode "single-az" --preferred-availability-zone "us-east-1a" --num-cache-nodes 2 --cache-node-type "cache.m4.large" --engine "memcached" --engine-version "1.6.22" --security-group-ids "sg-0abcd1234abcd1234" --cache-subnet-group-name "cc-memcache-cluster-sg"
02 The command output should return the information available for the new Memcached cache cluster:
{ "CacheCluster": { "CacheClusterId": "cc-new-production-memcache-cluster", "CacheNodeType": "cache.m4.large", "Engine": "memcached", "EngineVersion": "1.6.22", "CacheClusterStatus": "creating", "NumCacheNodes": 2, "PreferredAvailabilityZone": "us-east-1a", ... "PendingModifiedValues": {}, "CacheSecurityGroups": [], "TransitEncryptionEnabled": true, "AtRestEncryptionEnabled": false, "ARN": "arn:aws:elasticache:us-east-1:123456789012:cluster:cc-new-production-memcache-cluster", "ReplicationGroupLogDeliveryEnabled": false, "LogDeliveryConfigurations": [] } }
03 (Optional) To remove the source (non-compliant) Memcached cache cluster from your AWS cloud account, run delete-cache-cluster command (OSX/Linux/UNIX):
aws elasticache delete-cache-cluster --region us-east-1 --cache-cluster-id cc-production-memcache-cluster
04 The output should return the information available for the deleted Memcached cache cluster:
{ "CacheCluster": { "CacheClusterId": "cc-production-memcache-cluster", "CacheNodeType": "cache.m4.large", "Engine": "memcached", ... "TransitEncryptionEnabled": true, "AtRestEncryptionEnabled": false, "ReplicationGroupLogDeliveryEnabled": false } }
05 Repeat steps no. 1 – 4 for each Memcached cache cluster that you want to re-create, available in the selected AWS region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Remediation process for other regions.
References
- AWS Documentation
- Virtual private clouds for your EC2 instances
- EC2-Classic Networking is Retiring – Here’s How to Prepare
- AWS Command Line Interface (CLI) Documentation
- describe-replication-groups
- describe-cache-clusters
- create-replication-group
- delete-replication-group
- create-cache-cluster
- delete-cache-cluster