- Knowledge Base
- Amazon Web Services
- Amazon ElastiCache
- ElastiCache Cluster Default Port
Ensure that your Amazon ElastiCache clusters are not using their default endpoint ports (i.e. 6379 for Redis and 11211 for Memcached) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks. Changing the default port number for your cache clusters represents a basic security measure and does not completely secure the clusters from port scanning and network attacks. To implement advanced ElastiCache security, you should always look into security measures such as controlling clusters access through security groups and Network Access Control Lists (NACLs), and keeping the cache clusters within private subnets to completely isolate them from the Internet.
This rule can help you with the following compliance standards:
- PCI
- APRA
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Security Running your Amazon ElastiCache clusters on the default ports represent a potential security issue. Replacing the default port numbers (6379 for Redis and 11211 for Memcached) with custom ones will add an extra layer of security, protecting your cache clusters from cyberattacks.
Audit
Case A: To determine if your Memcached cache clusters are using the default port, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon ElastiCache console at https://console.aws.amazon.com/elasticache/.
03 In the main navigation panel, under Resources, choose Memcached clusters to access the cache clusters created with the Memcached in-memory cache engine.
04 Click on the name (link) of the Memcached cache cluster that you want to examine.
05 Select the Nodes tab to view the cache nodes provisioned for the Memcached cluster and check the port number utilized by the cache nodes, listed in the Endpoint column, at the end of the endpoint URL (i.e. <cache-node-name>.cache.amazonaws.com:<port-number>). If the <port-number> is 11211, the selected Memcached cache cluster is not using a non-default port for endpoint access, therefore the Amazon ElastiCache cluster is vulnerable to attacks.
06 Repeat steps no. 4 – 6 for each Memcached cache cluster available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-cache-clusters command (OSX/Linux/UNIX) with custom query filters to list the identifier (name) of each Memcached cache cluster available in the selected region:
aws elasticache describe-cache-clusters --region us-east-1 --query 'CacheClusters[?(Engine==`memcached`)].CacheClusterId'
02 The command output should return an array with the requested cluster names:
[
"cc-memcached-cluster",
"cc-web-cache-cluster"
]
03 Run describe-cache-clusters command (OSX/Linux/UNIX) using the name of the Memcached cache cluster that you want to examine as the identifier parameter and custom query filters to describe the port number used for access by the selected cluster:
aws elasticache describe-cache-clusters --region us-east-1 --cache-cluster-id cc-memcached-cluster --query 'CacheClusters[*].ConfigurationEndpoint.Port'
04 The command output should return the requested port number:
[
11211
]
If the describe-cache-clusters command output returns the default port number (i.e. 11211), as shown in the output example above, the selected Memcached cache cluster is not using a non-default port for endpoint access, therefore the Amazon ElastiCache cluster is vulnerable to attacks.
05 Repeat steps no. 3 and 4 for each Memcached cache cluster provisioned in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.
Case B: To determine if your Redis cache clusters are using the default port, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon ElastiCache console at https://console.aws.amazon.com/elasticache/.
03 In the main navigation panel, under Resources, choose Redis clusters to access the cache clusters created with the Redis cache engine.
04 Click on the name (link) of the Redis cache cluster that you want to examine.
05 Select the Nodes tab to view the cache nodes provisioned for the Redis cluster and check the port number utilized by the cache nodes, listed in the Endpoint column, at the end of the endpoint URL (i.e. <cache-node-name>.cache.amazonaws.com:<port-number>). If the <port-number> is 6379, the selected Redis cache cluster is not using a non-default port for endpoint access, therefore the Amazon ElastiCache cluster is vulnerable to attacks.
06 Repeat steps no. 4 – 6 for each Redis cache cluster available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-replication-groups command (OSX/Linux/UNIX) with custom query filters to list the identifier of each Redis cache cluster (replication group) available in the selected region:
aws elasticache describe-replication-groups --region us-east-1 --query 'ReplicationGroups[*].ReplicationGroupId'
02 The command output should return an array with the requested replication group names:
[
"cc-redis-cache-cluster",
"cc-redis-project-cluster"
]
03 Run describe-replication-groups command (OSX/Linux/UNIX) using the name of the Redis cache cluster that you want to examine as the identifier parameter and custom query filters to describe the port number used for access by the selected cluster:
aws elasticache describe-replication-groups --replication-group-id cc-redis-cache-cluster --query 'ReplicationGroups[*].NodeGroups[*].PrimaryEndpoint.Port[]'
04 The command output should return the requested port number:
[
6379
]
If the describe-replication-groups command output returns the default port number (i.e. 6379), as shown in the output example above, the selected Redis cache cluster is not using a non-default port for endpoint access, therefore the Amazon ElastiCache cluster is vulnerable to attacks.
05 Repeat steps no. 3 and 4 for each Redis cache cluster provisioned in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.
Remediation / Resolution
Case A: To change the default port number for Amazon ElastiCache clusters that use Memcached as cache engine, you must re-create the Memcached clusters with a custom port number. To re-create a Memcached cache cluster, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Configure Default Port Number for Memcached Cache Clusters",
"Resources": {
"MemcachedCacheCluster": {
"Type": "AWS::ElastiCache::CacheCluster",
"Properties": {
"ClusterName": "cc-new-memcached-cluster",
"Engine": "memcached",
"EngineVersion": "1.6.6",
"NumCacheNodes": "2",
"CacheNodeType": "cache.t2.micro",
"PreferredAvailabilityZone": "us-east-1b",
"VpcSecurityGroupIds": ["sg-0abcd1234abcd1234"],
"Port": 13611
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Configure Default Port Number for Memcached Cache Clusters
Resources:
MemcachedCacheCluster:
Type: AWS::ElastiCache::CacheCluster
Properties:
ClusterName: cc-new-memcached-cluster
Engine: memcached
EngineVersion: 1.6.6
NumCacheNodes: '2'
CacheNodeType: cache.t2.micro
PreferredAvailabilityZone: us-east-1b
VpcSecurityGroupIds:
- sg-0abcd1234abcd1234
Port: 13611
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_elasticache_cluster" "memcached-cache-cluster" {
cluster_id = "cc-new-memcached-cluster"
engine = "memcached"
engine_version = "1.6.6"
node_type = "cache.t2.micro"
num_cache_nodes = 2
availability_zone = "us-east-1b"
parameter_group_name = "default.memcached1.6"
security_group_ids = ["sg-0abcd1234abcd1234"]
# Configure Default Port Number for Memcached Cache Clusters
port = 13611
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon ElastiCache console at
03 In the main navigation panel, under Resources, choose Memcached clusters to access the cache clusters created with the Memcached in-memory cache engine.
04 Click on the name of the Memcached cache cluster that you want to re-create and choose Modify.
05 On the Modify <cache-cluster-name> page, copy the configuration information available in the Cluster settings, Subnet group settings, and Maintenance sections. The configuration information copied at this step is required during the new cluster setup.
06 Navigate back to the Memcached clusters listing page, choose Create Memcached cluster, and perform the following actions:
- For Step 1 Cluster settings, perform the following:
- For Location, choose AWS Cloud.
- Provide a unique name for the new cache cluster in the Name box.
- Choose the appropriate Memcached engine version from the Engine version dropdown list.
- Replace the default endpoint port number available within the Port box with a custom port number (e.g. 13611).
- Choose the right parameter group from the Parameter groups dropdown list.
- Select the type of node to be deployed within the new cluster from the Node type dropdown list.
- Enter the appropriate number of cluster nodes to provision in the Number of nodes box.
- Choose the subnets that you can designate for your new cluster from the Subnet group settings section.
- Configure placements for Availability Zones (AZs) in the Availability Zone placements section.
- Choose Next to continue the setup.
- For Step 2 Advanced settings, choose the security groups that you want to associate with the new cache cluster, select the maintenance window, and set up any required tags sets. Must match the configuration settings copied at step no. 5. Choose Next to continue.
- For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch the new Memcached cache cluster.
07 (Optional) Once you have replaced the source cluster endpoint within your application code, it's safe to terminate the source cache cluster in order to stop incurring charges for the resource. To remove the source (non-compliant) Memcached cluster from your AWS account, perform the following actions:
- In the main navigation panel, under Resources, choose Memcached clusters.
- Select the Memcached cache cluster that you want to remove, choose Actions, and select Delete.
- In the Delete <cache-cluster>? confirmation box, type the name of the non-compliant cluster in the text input field, then choose Delete to confirm the removal.
08 Repeat steps no. 4 – 7 for each Memcached cache cluster that you want to re-create, available within the current AWS region.
09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run describe-cache-clusters command (OSX/Linux/UNIX) to describe the configuration information available for the Memcached cache cluster that you want to reconfigure:
aws elasticache describe-cache-clusters --region us-east-1 --cache-cluster-id cc-memcached-cluster --query 'CacheClusters'
02 The command output should return the requested cache cluster configuration information. This information will be useful for creating the new cache cluster:
[
{
"CacheClusterId": "cc-memcached-cluster",
"ConfigurationEndpoint": {
"Address": "cc-memcached-cluster.abcabc.cfg.use1.cache.amazonaws.com",
"Port": 11211
},
"ClientDownloadLandingPage": "https://console.aws.amazon.com/elasticache/home#client-download:",
"CacheNodeType": "cache.t2.micro",
"Engine": "memcached",
"EngineVersion": "1.6.6",
"CacheClusterStatus": "available",
"NumCacheNodes": 2,
"PreferredAvailabilityZone": "us-east-1b",
"CacheClusterCreateTime": "2022-05-13T08:25:12.977000+00:00",
"PreferredMaintenanceWindow": "sun:09:00-sun:10:00",
"PendingModifiedValues": {},
"CacheSecurityGroups": ["sg-0abcd1234abcd1234"],
"CacheParameterGroup": {
"CacheParameterGroupName": "default.memcached1.6",
"ParameterApplyStatus": "in-sync",
"CacheNodeIdsToReboot": []
},
"CacheSubnetGroupName": "cc-redis-cluster-sg",
"AutoMinorVersionUpgrade": true,
"AuthTokenEnabled": false,
"TransitEncryptionEnabled": false,
"AtRestEncryptionEnabled": false,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:cluster:cc-memcached-cluster",
"ReplicationGroupLogDeliveryEnabled": false,
"LogDeliveryConfigurations": []
}
]
03 Re-create the source Memcached cache cluster with the create-cache-cluster command (OSX/Linux/UNIX), using the cluster configuration information returned at the previous step and a different number for the endpoint port:
aws elasticache create-cache-cluster --region us-east-1 --cache-cluster-id cc-new-memcached-cluster --az-mode single-az --preferred-availability-zone "us-east-1b" --num-cache-nodes 2 --cache-node-type cache.t2.micro --engine memcached --engine-version "1.6.6" --security-group-ids "sg-0abcd1234abcd1234" --port 13611
04 The command output should return the metadata available for the new Memcached cache cluster:
{
"CacheCluster": {
"CacheClusterId": "cc-new-memcached-cluster",
"ClientDownloadLandingPage": "https://console.aws.amazon.com/elasticache/home#client-download:",
"CacheNodeType": "cache.t2.micro",
"Engine": "memcached",
"EngineVersion": "1.6.6",
"CacheClusterStatus": "creating",
"NumCacheNodes": 1,
"PreferredAvailabilityZone": "us-east-1b",
"PreferredMaintenanceWindow": "thu:09:30-thu:10:30",
"PendingModifiedValues": {},
"CacheSecurityGroups": [],
"CacheParameterGroup": {
"CacheParameterGroupName": "default.memcached1.6",
"ParameterApplyStatus": "in-sync",
"CacheNodeIdsToReboot": []
},
"CacheSubnetGroupName": "default",
"AutoMinorVersionUpgrade": true,
"SecurityGroups": [
{
"SecurityGroupId": "sg-0abcd1234abcd1234",
"Status": "active"
}
],
"TransitEncryptionEnabled": false,
"AtRestEncryptionEnabled": false,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:cluster:cc-new-memcached-cluster",
"ReplicationGroupLogDeliveryEnabled": false,
"LogDeliveryConfigurations": []
}
}
05 Once you have replaced the source cluster endpoint within your application code, it's safe to terminate the source cache cluster in order to stop incurring charges for the AWS resource. To remove the source (non-compliant) Memcached cluster from your AWS account, run delete-cache-cluster command (OSX/Linux/UNIX):
aws elasticache delete-cache-cluster --region us-east-1 --cache-cluster-id cc-memcached-cluster
06 The output should return the delete-cache-cluster command request metadata:
{
"CacheCluster": {
"CacheClusterId": "cc-memcached-cluster",
"ConfigurationEndpoint": {
"Address": "cc-memcached-cluster.abcabc.cfg.use1.cache.amazonaws.com",
"Port": 11211
},
"ClientDownloadLandingPage": "https://console.aws.amazon.com/elasticache/home#client-download:",
"CacheNodeType": "cache.t2.micro",
"Engine": "memcached",
"EngineVersion": "1.6.6",
"CacheClusterStatus": "deleting",
"NumCacheNodes": 1,
"PreferredAvailabilityZone": "us-east-1b",
"CacheClusterCreateTime": "2022-05-13T08:25:12.977000+00:00",
"PreferredMaintenanceWindow": "sun:09:00-sun:10:00",
"PendingModifiedValues": {},
"CacheSecurityGroups": [],
"CacheParameterGroup": {
"CacheParameterGroupName": "default.memcached1.6",
"ParameterApplyStatus": "in-sync",
"CacheNodeIdsToReboot": []
},
"CacheSubnetGroupName": "cc-redis-cluster-sg",
"AutoMinorVersionUpgrade": true,
"TransitEncryptionEnabled": false,
"AtRestEncryptionEnabled": false,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:cluster:cc-memcached-cluster",
"ReplicationGroupLogDeliveryEnabled": false,
"LogDeliveryConfigurations": []
}
}
07 Repeat steps no. 1 – 6 for each Memcached cache cluster that you want to re-create, available in the selected AWS region.
08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Remediation process for other regions.
Case B: To change the default port number for Amazon ElastiCache clusters that use the Redis cache engine, you must re-create the Redis clusters with a custom port number. To re-create a Redis cache cluster, perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Configure Default Port Number for Redis Cache Clusters",
"Resources": {
"RedisReplicationGroup": {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"ReplicationGroupId": "cc-new-redis-cache-cluster",
"ReplicationGroupDescription": "Redis Cache Replication Group with Non-Default Port Number",
"Engine": "redis",
"EngineVersion": "6.2",
"NumCacheClusters": "2",
"CacheNodeType": "cache.t2.micro",
"CacheParameterGroupName": "default.redis6.x",
"Port": 3560
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Configure Default Port Number for Redis Cache Clusters
Resources:
RedisReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupId: cc-new-redis-cache-cluster
ReplicationGroupDescription: Redis Cache Replication Group with Non-Default
Port Number
Engine: redis
EngineVersion: '6.2'
NumCacheClusters: '2'
CacheNodeType: cache.t2.micro
CacheParameterGroupName: default.redis6.x
Port: 3560
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_elasticache_replication_group" "redis-cache-cluster" {
replication_group_id = "cc-new-redis-cache-cluster1"
description = "Redis Cache Replication Group with Non-Default Port Number"
engine = "redis"
engine_version = "6.x"
node_type = "cache.t2.micro"
num_cache_clusters = 2
parameter_group_name = "default.redis6.x"
# Configure Default Port Number for Redis Cache Clusters
port = 3560
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon ElastiCache console at
03 In the main navigation panel, under Resources, choose Redis clusters to access the cache clusters created with the Redis cache engine.
04 Click on the name of the Redis cache cluster that you want to re-create and choose Modify.
05 On the Modify <cache-cluster-name> page, copy the configuration information available in the Location, Cluster settings, Subnet group settings, Security, Backup and Maintenance sections. The configuration information copied at this step is required during the new cluster setup.
06 Navigate back to the Redis clusters listing page, choose Create Redis cluster, and perform the following operations:
- For Step 1 Cluster settings, choose Configure and create a new cluster, and perform the following:
- For Cluster mode, choose the cluster mode required for your application.
- For Cluster info, provide a unique name for the new cache cluster in the Name box.
- For Location, choose AWS Cloud. Choose whether or not to deploy the new cluster with a multi-az and/or failover configuration.
- Choose the appropriate Redis engine version from the Engine version dropdown list.
- Replace the default endpoint port number available in the Port box with a custom port number (e.g. 3560).
- Choose the right parameter group from the Parameter groups dropdown list.
- Select the type of node to be deployed within the new cluster from the Node type dropdown list.
- Enter the appropriate number of replicas to provision in the Number of replicas box.
- Choose the subnets that you can designate for your new cluster from the Subnet group settings section.
- Configure placements for Availability Zones (AZs) in the Availability Zone placements section.
- Choose Next to continue the setup.
- For Step 2 Advanced settings, perform the following:
- Enable encryption at rest and/or in transit for the new cache cluster.
- Choose the security groups that you want to associate with the new cache cluster. Must match the configuration settings copied at step no. 5
- Configure automatic backups and select the necessary maintenance window.
- Specify whether to enable the Redis slow logs and/or engine logs.
- And set up any required tags sets.
- Choose Next to continue.
- For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch the new Redis cache cluster.
07 (Optional) Once you have replaced the source cluster endpoint within your application code, it's safe to terminate the source cache cluster in order to stop incurring charges for the resource. To remove the source (non-compliant) Redis cluster from your AWS cloud account, perform the following actions:
- In the main navigation panel, under Resources, choose Redis clusters.
- Select the Redis cache cluster that you want to remove, choose Actions, and select Delete.
- In the Delete <cache-cluster>? confirmation box, choose whether to create a final backup for the source cluster, type the name of the non-compliant cluster in the text input field, then choose Delete to confirm the removal.
08 Repeat steps no. 4 – 7 for each Redis cache cluster that you want to re-create, available within the current AWS region.
09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run describe-replication-groups command (OSX/Linux/UNIX) to describe the configuration information available for the Redis cache cluster (replication group) that you want to reconfigure:
aws elasticache describe-replication-groups --replication-group-id cc-redis-cache-cluster --query 'ReplicationGroups'
02 The command output should return the requested cache cluster configuration information. This information will be useful for creating the new Redis cluster:
[
{
"ReplicationGroupId": "cc-redis-cache-cluster",
"Description": " ",
"GlobalReplicationGroupInfo": {},
"Status": "available",
"PendingModifiedValues": {},
"MemberClusters": [
"cc-redis-cache-cluster-001",
"cc-redis-cache-cluster-002"
],
"NodeGroups": [
{
"NodeGroupId": "0001",
"Status": "available",
"PrimaryEndpoint": {
"Address": "cc-redis-cache-cluster.abcabc.ng.0001.use1.cache.amazonaws.com",
"Port": 6379
},
"ReaderEndpoint": {
"Address": "cc-redis-cache-cluster-ro.abcabc.ng.0001.use1.cache.amazonaws.com",
"Port": 6379
},
"NodeGroupMembers": [
{
"CacheClusterId": "cc-redis-cache-cluster-001",
"CacheNodeId": "0001",
"ReadEndpoint": {
"Address": "cc-redis-cache-cluster-001.abcabc.0001.use1.cache.amazonaws.com",
"Port": 6379
},
"PreferredAvailabilityZone": "us-east-1d",
"CurrentRole": "primary"
},
{
"CacheClusterId": "cc-redis-cache-cluster-002",
"CacheNodeId": "0001",
"ReadEndpoint": {
"Address": "cc-redis-cache-cluster-002.abcabc.0001.use1.cache.amazonaws.com",
"Port": 6379
},
"PreferredAvailabilityZone": "us-east-1c",
"CurrentRole": "replica"
}
]
}
],
"AutomaticFailover": "disabled",
"MultiAZ": "disabled",
"SnapshotRetentionLimit": 0,
"SnapshotWindow": "05:00-06:00",
"ClusterEnabled": false,
"CacheNodeType": "cache.t2.micro",
"AuthTokenEnabled": false,
"TransitEncryptionEnabled": false,
"AtRestEncryptionEnabled": false,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-redis-cache-cluster",
"LogDeliveryConfigurations": [],
"ReplicationGroupCreateTime": "2022-05-13T06:39:20.168000+00:00",
"DataTiering": "disabled"
}
]
03 Re-create the source Redis cache cluster (replication group) with the create-replication-group command (OSX/Linux/UNIX), using the cluster configuration information returned at the previous step and a different number for the endpoint port:
aws elasticache create-replication-group --region us-east-1 --replication-group-id "cc-new-redis-cache-cluster" --replication-group-description "Redis Cache Replication Group with Non-Default Port Number" --engine "redis" --num-cache-clusters 2 --cache-node-type "cache.t2.micro" --no-multi-az-enabled --port 3560
04 The command output should return the metadata available for the new Redis cache cluster:
{
"ReplicationGroup": {
"ReplicationGroupId": "cc-new-redis-cache-cluster",
"Description": "Redis Cache Replication Group with Non-Default Port Number",
"GlobalReplicationGroupInfo": {},
"Status": "creating",
"PendingModifiedValues": {},
"MemberClusters": [
"cc-new-redis-cache-cluster-001",
"cc-new-redis-cache-cluster-002"
],
"AutomaticFailover": "disabled",
"MultiAZ": "disabled",
"SnapshotRetentionLimit": 0,
"SnapshotWindow": "06:00-07:00",
"ClusterEnabled": false,
"CacheNodeType": "cache.t2.micro",
"TransitEncryptionEnabled": false,
"AtRestEncryptionEnabled": false,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-new-redis-cache-cluster",
"LogDeliveryConfigurations": [],
"ReplicationGroupCreateTime": "2022-05-13T11:09:07.373000+00:00",
"DataTiering": "disabled"
}
}
05 Once you have replaced the source cluster endpoint within your application code, it's safe to terminate the source cache cluster in order to stop incurring charges for the AWS resource. To remove the source (non-compliant) Redis cluster from your AWS account, run delete-replication-group command (OSX/Linux/UNIX):
aws elasticache delete-replication-group --region us-east-1 --replication-group-id cc-redis-cache-cluster
06 The output should return the delete-replication-group command request metadata:
{
"ReplicationGroup": {
"ReplicationGroupId": "cc-redis-cache-cluster",
"Description": " ",
"GlobalReplicationGroupInfo": {},
"Status": "deleting",
"PendingModifiedValues": {},
"AutomaticFailover": "disabled",
"MultiAZ": "disabled",
"SnapshotRetentionLimit": 0,
"SnapshotWindow": "05:00-06:00",
"TransitEncryptionEnabled": false,
"AtRestEncryptionEnabled": false,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-redis-cache-cluster",
"LogDeliveryConfigurations": [],
"ReplicationGroupCreateTime": "2022-05-13T06:39:20.168000+00:00",
"DataTiering": "disabled"
}
}
07 Repeat steps no. 1 – 6 for each Redis cache cluster that you want to re-create, available in the selected AWS region.
08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Remediation process for other regions.
References
- AWS Documentation
- Amazon ElastiCache FAQs
- What is Amazon ElastiCache for Redis?
- What is Amazon ElastiCache for Redis?
- AWS Command Line Interface (CLI) Documentation
- elasticache
- describe-cache-clusters
- describe-replication-groups
- create-cache-cluster
- create-replication-group
- delete-cache-cluster
- delete-replication-group
- CloudFormation Documentation
- Amazon ElastiCache resource type reference
- Terraform Documentation
- AWS Provider
Related ElastiCache rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
ElastiCache Cluster Default Port
Risk Level: Low