Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Automatic Backups

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Amazon ElastiCache is configured to take automatic daily backups for Redis cache clusters. This feature allows the ElastiCache service to automatically create a daily backup of a replica node (non-clustered Redis) or set of replicas (clustered Redis).

Reliability

When automatic backups for Redis cache clusters are enabled, Amazon ElastiCache creates a backup of the cluster on a daily basis. Automatic backups can help guard against data loss. In the event of a failure, you can create a new cache cluster, restoring your data from the most recent backup. The result is a warm-started Redis cache cluster, preloaded with your data and ready for use in production.


Audit

To determine if your Redis cache clusters are configured with automatic backups, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.

04 Click on the name (link) of the Redis cache cluster that you want to examine.

05 Select the Maintenance and backups tab to access the backup settings available for the selected cache cluster.

06 In the Backup section, check the Automatic backups feature status. If the Automatic backups status is set to Disabled, automatic backups are not enabled for the selected Amazon ElastiCache Redis cache cluster.

07 Repeat steps no. 4 and 5 for each Redis cache cluster available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-replication-groups command (OSX/Linux/UNIX) with custom output filters to list the identifier of each Redis cache replication group available in the selected region:

aws elasticache describe-replication-groups
  --region us-east-1
  --query 'ReplicationGroups[*].ReplicationGroupId'

02 The command output should return an array with the requested replication group names:

[
	"cc-redis-cache-cluster",
	"cc-redis-project-cluster"
]

03 Run describe-replication-groups command (OSX/Linux/UNIX) with the name of the Redis cache replication group that you want to examine as the identifier parameter, to determine the number of days configured to retain backups if automatic backups are enabled for the selected cache cluster:

aws elasticache describe-replication-groups
  --replication-group-id cc-redis-cache-cluster
  --query 'ReplicationGroups[*].SnapshotRetentionLimit'

04 The command output should return the requested retention value (number of days):

[
	0
]

If the number of days returned by the describe-replication-groups command output is 0 (zero), as shown in the output example above, the selected Amazon ElastiCache Redis cache cluster is not configured with automatic backups.

05 Repeat steps no. 3 and 4 for each Redis cache cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To enable and configure automatic daily backups for your Amazon ElastiCache Redis cache clusters, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Automatic Daily Backups",
	"Resources": {
		"RedisReplicationGroup": {
			"Type": "AWS::ElastiCache::ReplicationGroup",
			"Properties": {
				"ReplicationGroupId": "cc-redis-cache-cluster",
				"ReplicationGroupDescription": "Production Replication Group",
				"Engine": "redis",
				"EngineVersion": "6.2",
				"NumCacheClusters": "2",
				"CacheNodeType": "cache.t2.micro",
				"CacheParameterGroupName": "default.redis6.x",
				"SnapshotRetentionLimit": 30,
				"SnapshotWindow": "05:00-06:00"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Automatic Daily Backups
	Resources:
		RedisReplicationGroup:
		Type: AWS::ElastiCache::ReplicationGroup
		Properties:
			ReplicationGroupId: cc-redis-cache-cluster
			ReplicationGroupDescription: Production Replication Group
			Engine: redis
			EngineVersion: '6.2'
			NumCacheClusters: '2'
			CacheNodeType: cache.t2.micro
			CacheParameterGroupName: default.redis6.x
			SnapshotRetentionLimit: 30
			SnapshotWindow: '05:00-06:00'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_elasticache_replication_group" "redis-cache-cluster" {

	replication_group_id        = "cc-redis-cache-cluster"
	description                 = "Production Replication Group"
	engine                      = "redis"
	engine_version              = "6.x"
	node_type                   = "cache.t2.micro"
	num_cache_clusters          = 2
	parameter_group_name        = "default.redis6.x"

	# Enable Automatic Daily Backups
	snapshot_retention_limit    = 30
	snapshot_window             = "05:00-06:00"
	apply_immediately           = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.

04 Select the Redis cache cluster that you want to configure, choose Actions, and select Modify to access the backup configuration settings available for the cluster.

05 In the Backup section, perform the following actions:

  1. Check the Enable automatic backups setting checkbox to enable automatic daily backups for the selected Redis cache cluster.
  2. For Backup node ID select the node that is used as the daily backup source for your cluster.
  3. Use the Backup retention period dropdown list to configure the backup retention period (in days) for the selected cache cluster.
  4. For Backup start time, enter the daily start time during which automated backups are initiated.
  5. For Backup duration, choose the duration during which automated backups are initiated.

06 Choose Preview changes and select Yes under Apply immediately if you want to apply the changes immediately. If Yes is not selected, the changes will be processed during the next maintenance window. Choose Modify to apply the configuration changes.

07 Repeat steps no. 4 - 6 for each Redis cache cluster that you want to configure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run modify-replication-group command (OSX/Linux/UNIX) with the name of the Redis cache replication group that you want to configure as the identifier parameter, to enable and configure automatic daily backups for the selected cache cluster by setting the backup retention period to a positive value (greater than 0). Use the --snapshot-window command parameter to specify the daily time range (in UTC) during which Amazon ElastiCache begins taking a daily snapshot. Include --apply-immediately parameter in your command request if you want to apply the changes immediately. If --apply-immediately is not specified, the configuration changes will be processed during the next maintenance window:

aws elasticache modify-replication-group
  --region us-east-1
  --replication-group-id cc-redis-cache-cluster
  --snapshot-retention-limit 30
  --snapshot-window 05:00-06:00
  --apply-immediately

02 The command output should return the information available for the configured cache cluster:

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-redis-cache-cluster",
		"Description": " ",
		"GlobalReplicationGroupInfo": {},
		"Status": "available",
		"PendingModifiedValues": {},
		"MemberClusters": [
			"cc-redis-cache-cluster-0001-001",
			"cc-redis-cache-cluster-0001-002"
		],

		...

		"AutomaticFailover": "enabled",
		"SnapshotRetentionLimit": 30,
		"SnapshotWindow": "05:00-06:00",
		"ClusterEnabled": true,
		"CacheNodeType": "cache.m5.large",
		"TransitEncryptionEnabled": false,
		"AtRestEncryptionEnabled": false,
		"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-redis-cache-cluster",
		"LogDeliveryConfigurations": [],
		"DataTiering": "disabled"
	}
}

03 Repeat steps no. 1 and 2 for each Redis cache cluster that you want to configure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Jun 14, 2024