Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Desired Node Type

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC-011

Determine if your existing AWS ElastiCache cluster nodes have the desired type established by your organization based on the caching workload required. Cloud Conformity provides you with the ability to define the desired cache node type based on your workload requirements upon enabling this conformity rule.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Setting limits for the type of AWS ElastiCache cluster nodes will help you address internal compliance requirements and prevent unexpected charges on your AWS bill.

Note 1: You can also limit your ElastiCache nodes to the desired type using AWS Organizations service by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.
Note 2: The desired ElastiCache node type used as example in conformity this rule is cache.m3.medium. To meet your own organizational requirements, you will need to configure this rule with your desired node type.

Audit

To determine if the existing cache nodes provisioned within your ElastiCache clusters have the desired type, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

03 In the left navigation panel, under ElastiCache Dashboard, click Memcached to access the cache clusters created with the Memcached in-memory cache engine or Redis to access the clusters created with the Redis engine.

04 Check the node type utilized by the Memcached / Redis cluster cache nodes available in the current AWS region, listed in the Node Type column:

Node Type ColumnNode Type attribute. If the value set for the Node Type attribute is not the same for all ElastiCache clusters available, the cache clusters created in the current region were not launched using the desired node type, therefore you must take action and raise an AWS support case to limit ElastiCache cluster nodes creation only to the desired type.

05 Change the AWS region from the navigation bar and repeat step no. 3 and 4 for all other regions.

Using AWS CLI

01 Run describe-cache-clusters command (OSX/Linux/UNIX) using custom query filters to list the type of node(s) provisioned for each ElastiCache cluster available in the selected AWS region: 

aws elasticache describe-cache-clusters
	--region us-east-1
	--query 'CacheClusters[*].[CacheClusterId,Engine,CacheNodeType]'

02 The command output should return an array that contains sets of metadata representing the cluster identifier (name), the cache engine type (i.e. Memcached, Redis) and the node type (e.g. cache.m3.medium) set for each cache cluster available in the selected region: 

[
    [
        "cc-memcached-cluster",
        "memcached",
        "cache.m3.medium"
    ],
        [
        "cc-webcache-cluster",
        "memcached",
        "cache.m3.medium"
    ],
        [
        "cc-sandbox-cluster",
        "memcached",
        "cache.m4.large"
    ],
    [
        "cc-redis-cluster",
        "redis",
        "cache.m3.medium"
    ],
    [
        "cc-redis-cluster",
        "redis",
        "cache.r3.large"
    ]
]

If the value (i.e. node type) listed in the command output is not the same for all the cache clusters listed, the ElastiCache clusters available in the current region were not created using the desired node type, therefore you must take action and raise an AWS support case to limit cluster creation only to the desired/required cache node type.

03 Repeat step no. 1 and 2 to perform the audit process for all other AWS regions.

Remediation / Resolution

To limit the new AWS ElastiCache cluster nodes to the desired node type, raise an AWS support case where you explain why you need this type of limitation. For any existing ElastiCache clusters launched without using the desired node type, just update their configuration by changing the Node Type config parameter to the desired type (e.g. cache.m3.medium).
To create the necessary AWS support case, perform the following actions:

Note: Creating a support case to request the cache node type limitation using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 On the Create Case support page, perform the following:

  1. Under Regarding, select Account and Billing Support.
  2. Choose Other Account Issues from the Category dropdown list.
  3. In the Subject field, enter the request subject, e.g. "Limit the provision of AWS ElastiCache clusters node(s) to a desired type".
  4. In the Description textbox, enter a brief description where you explain why you need to limit the provisioning of ElastiCache nodes to a specific type so that AWS support can evaluate your case faster.
  5. From Supported Language, choose your preferred correspondence language for the current case.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request to Amazon Web Services.

References

Publication date Sep 28, 2017

Related ElastiCache rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

ElastiCache Desired Node Type

Risk Level: Medium