Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Redis Multi-AZ

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC-002

Ensure that your Amazon ElastiCache Redis cache clusters are using a Multi-AZ deployment configuration to enhance reliability through automatic failover. The Multi-AZ feature uses a read replica in case of a primary cache node failure.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Enabling the Multi-AZ feature for your Redis cache clusters will improve the fault tolerance in case the read/write primary node becomes unreachable due to loss of network connectivity or loss of availability in the primary's Availability Zone (AZ).

Audit

To determine if your Amazon ElastiCache Redis cache clusters are using a Multi-AZ configuration, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis clusters to access the cache clusters created with the Redis cache engine.

04 Click on the name (link) of the Redis cache cluster that you want to examine.

05 In the Cluster details section, check the Multi-AZ configuration attribute value. If the Multi-AZ attribute value is set to Disabled, the selected Amazon ElastiCache Redis cache cluster is not using a Multi-AZ deployment configuration for reliability.

06 Repeat steps no. 4 and 5 for each Redis cache cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-replication-groups command (OSX/Linux/UNIX) with custom query filters to list the identifier of each Redis cache cluster (replication group) available in the selected region: 

aws elasticache describe-replication-groups
  --region us-east-1
  --query 'ReplicationGroups[*].ReplicationGroupId'

02 The command output should return an array with the requested replication group names: 

[
    "cc-redis-cache-cluster",
    "cc-redis-project-cluster"
]

03 Run describe-replication-groups command (OSX/Linux/UNIX) using the name of the Redis cache cluster that you want to examine as the identifier parameter and custom query filters to determine if the selected cache cluster is using a Multi-AZ deployment configuration: 

aws elasticache describe-replication-groups
  --replication-group-id cc-redis-cache-cluster
  --query 'ReplicationGroups[*].MultiAZ'

04 The command output should return the Multi-AZ feature status available for the selected cluster: 

[
    "disabled"
]

If the describe-replication-groups command output returns disabled, as shown in the output example above, the selected Amazon ElastiCache Redis cache cluster is not using a Multi-AZ deployment configuration for enhanced reliability.

05 Repeat steps no. 3 and 4 for each Redis cache cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To enable the Multi-AZ feature for your Amazon ElastiCache Redis cache cluster in order to enhance reliability through automatic failover, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Enable Multi-AZ for Redis Cache Replication Groups",
    "Resources": {
        "RedisReplicationGroup": {
            "Type": "AWS::ElastiCache::ReplicationGroup",
            "Properties": {
                "ReplicationGroupId": "cc-redis-cache-cluster",
                "ReplicationGroupDescription": "Multi-AZ Replication Group",
                "Engine": "redis",
                "EngineVersion": "6.2",
                "NumCacheClusters": "2",
                "CacheNodeType": "cache.t2.micro",
                "CacheParameterGroupName": "default.redis6.x",
                "MultiAZEnabled": true
            }
        }
    }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Multi-AZ for Redis Cache Replication Groups
Resources:
  RedisReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: cc-redis-cache-cluster
      ReplicationGroupDescription: Multi-AZ Replication Group
      Engine: redis
      EngineVersion: '6.2'
      NumCacheClusters: '2'
      CacheNodeType: cache.t2.micro
      CacheParameterGroupName: default.redis6.x
      MultiAZEnabled: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_elasticache_replication_group" "redis-cache-cluster" {

  replication_group_id        = "cc-redis-cache-cluster"
  description                 = "Multi-AZ Replication Group"
  engine                      = "redis"
  engine_version              = "6.x"
  node_type                   = "cache.t2.micro"
  num_cache_clusters          = 2
  parameter_group_name        = "default.redis6.x"

  # Enable Multi-AZ for Redis Cache Replication Groups
  multi_az_enabled            = true
  automatic_failover_enabled  = true
  apply_immediately           = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis clusters to access the cache clusters created with the Redis cache engine.

04 Click on the name of the Redis cache cluster that you want to reconfigure and choose Modify.

05 On the Modify <cache-cluster-name> configuration page, perform the following actions:

  1. In the Location section, select the Enable setting checkbox available under Multi-AZ to enable the Multi-AZ feature for the selected Amazon ElastiCache Redis cache cluster.
  2. In the Schedule modifications section, select Yes under Apply Immediately to apply the configuration changes immediately. The modifications will be applied asynchronously, as soon as possible. If this step is skipped, the changes will be processed during the next maintenance window.
  3. Choose Modify to apply the changes.

06 Repeat steps no. 4 and 5 for each Redis cache cluster that you want to reconfigure, available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-replication-group command (OSX/Linux/UNIX) to enable the Multi-AZ automatic failover feature for the specified Amazon ElastiCache Redis cache cluster (replication group). Include the --apply-immediately parameter in the command request to apply the configuration changes asynchronously, as soon as possible: 

aws elasticache modify-replication-group
  --region us-east-1
  --replication-group-id cc-redis-cache-cluster
  --multi-az-enabled
  --apply-immediately

02 The command output should return the metadata available for the reconfigured Redis cache cluster: 

{
    "ReplicationGroup": {
        "ReplicationGroupId": "cc-redis-cache-cluster",
        "Description": " ",
        "GlobalReplicationGroupInfo": {},
        "Status": "available",
        "PendingModifiedValues": {},
        "MemberClusters": [
            "cc-redis-cache-cluster-0001-001",
            "cc-redis-cache-cluster-0001-002"
        ],
        "NodeGroups": [
            {
                "NodeGroupId": "0001",
                "Status": "available",
                "Slots": "0-16383",
                "NodeGroupMembers": [
                    {
                        "CacheClusterId": "cc-redis-cache-cluster-0001-001",
                        "CacheNodeId": "0001",
                        "PreferredAvailabilityZone": "us-east-1e"
                    },
                    {
                        "CacheClusterId": "cc-redis-cache-cluster-0001-002",
                        "CacheNodeId": "0001",
                        "PreferredAvailabilityZone": "us-east-1f"
                    }
                ]
            }
        ],
        "AutomaticFailover": "enabled",
        "MultiAZ": "enabled",
        "ConfigurationEndpoint": {
            "Address": "cc-redis-cache-cluster.abcabc.clustercfg.use1.cache.amazonaws.com",
            "Port": 6379
        },
        "SnapshotRetentionLimit": 0,
        "SnapshotWindow": "08:00-09:00",
        "ClusterEnabled": true,
        "CacheNodeType": "cache.t2.micro",
        "TransitEncryptionEnabled": false,
        "AtRestEncryptionEnabled": false,
        "ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-redis-cache-cluster",
        "LogDeliveryConfigurations": [],
        "ReplicationGroupCreateTime": "2022-05-13T14:34:34.741000+00:00",
        "DataTiering": "disabled"
    }
}

03 Repeat steps no. 1 and 2 for each Redis cache cluster that you want to reconfigure, available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Dec 23, 2016

Related ElastiCache rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

ElastiCache Redis Multi-AZ

Risk Level: Medium