Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Desired Node Type

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC-011

Determine if your Amazon ElastiCache cache clusters have the desired node type(s) established by your organization, based on the workload deployed. The desired cluster node type(s) must be defined in the conformity rule settings, in your Trend Cloud One™ – Conformity account.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Setting limits for the node type(s) of the Amazon ElastiCache clusters provisioned in your AWS cloud account can help you to manage better your compute power, address internal compliance requirements, and prevent unexpected charges on your AWS bill.

You can also limit your Amazon ElastiCache cluster nodes to the desired node type using AWS Organizations by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.


Audit

To determine if the existing cache nodes provisioned for your Amazon ElastiCache clusters have the desired type, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access ElastiCache Desired Node Type(s) conformity rule settings and identify the desired node type(s) configured for Redis/Memcached cache clusters.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

04 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis or Memcached caches to access the cache clusters created with Memcached.

05 Click on the name (link) of the Redis/Memcached cache cluster that you want to examine.

06 In the Cluster details section, check the Node type attribute value to determine the node type used by your ElastiCache cluster. If the node type is different than the one allowed by your organization and identified at step no. 1, the selected Amazon ElastiCache cache cluster is not using the desired node type.

07 Repeat steps no. 5 and 6 for each Amazon ElastiCache cluster available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access ElastiCache Desired Node Type(s) conformity rule settings and identify the desired node type(s) configured for Redis/Memcached cache clusters.

02 Run describe-cache-clusters command (OSX/Linux/UNIX) to list the name of each Amazon ElastiCache cluster available in the selected AWS cloud region:

aws elasticache describe-cache-clusters
  --region us-east-1
  --output table
  -query 'CacheClusters[*].CacheClusterId'

03 The command output should return a table with the requested cluster names:

-------------------------------------
|       DescribeCacheClusters       |
+-----------------------------------+
|  cc-production-memcache-cluster   |
|  cc-production-redis-cluster-001  |
|  cc-production-redis-cluster-002  |
+-----------------------------------+

04 Run describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Amazon ElastiCache cluster that you want to examine as the identifier parameter and custom output filters to describe the type of the node configured for the selected cache cluster and the cluster engine type:

aws elasticache describe-cache-clusters
  --region us-east-1
  --cache-cluster-id cc-production-memcache-cluster
  --query 'CacheClusters[*].[Engine,CacheNodeType] | []'

05 The command output should return the requested cluster information:

[
	"memcached",
	"cache.m5.large"
]

Compare the node type returned by the **describe-cache-clusters** command output with the one allowed by your organization, based on the engine type, identified at step no. 1. If the verified cluster node type is not listed in the conformity rule settings, the selected Amazon ElastiCache cache cluster is not using the desired node type.

06 Repeat steps no. 4 and 5 for each ElastiCache cluster available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the Audit process for other AWS regions.

Remediation / Resolution

To ensure that the provisioning of your Amazon ElastiCache cache clusters is limited to desired node types only (i.e. node types alowed by your organization), perform the following operations:

Creating a support case to request cluster node type limitations using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Support Center console available at https://console.aws.amazon.com/support/.

03 In the main navigation panel, choose Your support cases.

04 Choose Create case and perform the following operations:

  1. For How can we help? select Account and billing.
  2. For Service select Account.
  3. For Category select Other Account Issues.
  4. Choose Next step: Additional information to continue the process.
  5. Provide the request subject in the Subject box, e.g. "Limit the creation of Amazon ElastiCache cache cluster nodes to specific node types only".
  6. In the Description textbox, provide the list with the desired node types and explain why you need to disallow the creation of Amazon ElastiCache cache clusters with unwanted node types (e.g. for compliance purposes). This will help the AWS support team to promptly evaluate your request.
  7. Choose Next step: Solve now or contact us to continue.
  8. Choose the Contact us tab and perform the following actions:
    1. For Preferred contact language, choose your preferred correspondence language for the current support case.
    2. Select a preferred contact method that AWS support team can use to respond to your request.
  9. Choose Submit to send your request to Amazon Web Services (AWS). A customer support representative will contact you shortly.

References

Publication date Sep 28, 2017