Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Engine Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC-013

Ensure that your Amazon ElastiCache clusters are using the stable latest version of Redis/Memcached cache engine in order to adhere to AWS cloud best practices, benefit from better security by having the most recent vulnerability patches, receive the newest software features, and get the latest performance optimizations.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Reliability
Performance
efficiency
Sustainability

Upgrade your Amazon ElastiCache cache clusters to the latest Redis/Memcached engine version and unlock a range of benefits:


Audit

To determine if your Amazon ElastiCache clusters are using the latest version of Redis/Memcached engine, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 For Redis cache clusters:

  1. In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.
  2. Click on the name (link) of the Redis cache cluster that you want to examine.
  3. In the Cluster details section, check the Engine version attribute value to identify the Redis cache engine version installed for the selected cluster. Compare the Engine version value with latest Redis engine version supported by Amazon ElastiCache, listed on this page. If there is a newer Redis engine version supported by Amazon ElastiCache, the cache engine version installed on the selected Redis cluster should be upgraded to benefit from all the security and performance improvements that come with the latest engine version.

04 For Memcached cache clusters:

  1. In the navigation panel, under Resources, choose Memcached caches to access the cache clusters created with Memcached.
  2. Click on the name (link) of the Memcached cache cluster that you want to examine.
  3. In the Cluster details section, check the Engine version attribute value to identify the Memcached cache engine version installed for the selected cluster. Compare the Engine version value with latest Memcached engine version supported by Amazon ElastiCache, listed on this page. If there is a newer Memcached engine version supported by Amazon ElastiCache, the cache engine version installed on the selected Memcached cluster should be upgraded to benefit from all the security and performance improvements that come with the latest engine version.

05 Repeat steps no. 3 and 4 for each Amazon ElastiCache cluster provisioned within the current AWS region.

06 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 For Redis cache clusters:

  1. Run describe-cache-clusters command (OSX/Linux/UNIX) with custom output filters to list the identifier (name) of each Redis cache cluster available in the selected AWS region:
    aws elasticache describe-cache-clusters
      --region us-east-1
      --output table
      --query 'CacheClusters[?(Engine==`redis`)].CacheClusterId'
    
  2. The command output should return a table with the requested resource names:
    -------------------------------------
    |       DescribeCacheClusters       |
    +-----------------------------------+
    |  cc-production-redis-cluster-001  |
    |  cc-production-redis-cluster-001  |
    +-----------------------------------+
    
  3. Run again describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Redis cache cluster that you want to examine as the identifier parameter and custom output filters to describe the Redis cache engine version installed on the selected cache engine:
    aws elasticache describe-cache-clusters
      --region us-east-1
      --cache-cluster-id cc-production-redis-cluster-001
      --query 'CacheClusters[*].EngineVersion'
    
  4. The command output should return the Redis cache engine version:
    [
    	"5.0.6"
    ]
    

    Compare the engine version returned by the describe-cache-clusters command output with latest Redis engine version supported by Amazon ElastiCache, listed on this page. If there is a newer Redis engine version supported by Amazon ElastiCache, the cache engine version installed on the selected Redis cluster should be upgraded to benefit from all the security and performance improvements that come with the latest version.

02 For Memcached cache clusters:

  1. Run describe-cache-clusters command (OSX/Linux/UNIX) to list the name of each Memcached cache cluster available in the selected AWS cloud region:
    aws elasticache describe-cache-clusters
      --region us-east-1
      --output table
      --query 'CacheClusters[?(Engine==`memcached`)].CacheClusterId'
    
  2. The command output should return a table with the requested cluster names:
    -------------------------------------
    |       DescribeCacheClusters       |
    +-----------------------------------+
    |  cc-production-memcache-cluster   |
    |  cc-backend-app-memcache-cluster  |
    +-----------------------------------+
    
  3. Run describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Memcached cache cluster that you want to examine as the identifier parameter, to describe the Memcached cache engine version installed on the selected cache cluster:
    aws elasticache describe-cache-clusters
      --region us-east-1
      --cache-cluster-id cc-production-memcache-cluster
      --query 'CacheClusters[*].EngineVersion'
    
  4. The command output should return the Memcached cache engine version:
    [
    	"1.5.10"
    ]
    

    Compare the engine version returned by the describe-cache-clusters command output with latest Memcached engine version supported by Amazon ElastiCache, listed on this page. If there is a newer Memcached engine version supported by Amazon ElastiCache, the cache engine version installed on the selected Memcached cluster should be upgraded to benefit from all the security and performance improvements that come with the latest version.

03 Repeat steps no. 1 and 2 for each Amazon ElastiCache cluster provisioned in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Audit process for other regions.

Remediation / Resolution

To upgrade the Redis/Memcached cache engine version for your existing Amazon ElastiCache cache clusters, perform the following operations:

Upgrading Redis/Memcached cache engine version via AWS Management Console is not currently supported.
Case A: Memcached Cache Clusters

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Upgrade Memcached Cache Engine to Latest Supported Version",
	"Resources": {
		"MemcachedCacheCluster": {
			"Type": "AWS::ElastiCache::CacheCluster",
			"Properties": {
				"ClusterName": "cc-memcached-cluster",
				"Engine": "memcached",
				"NumCacheNodes": "2",
				"CacheNodeType": "cache.t2.micro",
				"PreferredAvailabilityZone": "us-east-1b",
				"VpcSecurityGroupIds": ["sg-0abcd1234abcd1234"],
				"EngineVersion": "1.6.6"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Upgrade Memcached Cache Engine to Latest Supported Version
	Resources:
		MemcachedCacheCluster:
		Type: AWS::ElastiCache::CacheCluster
		Properties:
			ClusterName: cc-memcached-cluster
			Engine: memcached
			NumCacheNodes: '2'
			CacheNodeType: cache.t2.micro
			PreferredAvailabilityZone: us-east-1b
			VpcSecurityGroupIds:
			- sg-0abcd1234abcd1234
			EngineVersion: 1.6.6

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_elasticache_cluster" "memcached-cache-cluster" {

	cluster_id           = "cc-memcached-cluster"
	engine               = "memcached"
	node_type            = "cache.t2.micro"
	num_cache_nodes      = 2
	availability_zone    = "us-east-1b"
	parameter_group_name = "default.memcached1.6"
	security_group_ids   = ["sg-0abcd1234abcd1234"]

	# Upgrade Memcached Cache Engine to Latest Supported Version
	engine_version       = "1.6.6"
	apply_immediately    = true

}

Using AWS CLI

01 To upgrade the Memcached engine version for your Amazon ElastiCache cache cluster to the latest stable version supported by AWS, run modify-cache-cluster command (OSX/Linux/UNIX) with the name of the cache cluster that you want to upgrade as the identifier parameter. Include the --apply-immediately parameter in the command request if you want to apply the configuration change immediately. If the --apply-immediately is not specified, the configuration change will be processed during the next maintenance window:

aws elasticache modify-cache-cluster
  --region us-east-1
  --cache-cluster-id cc-production-memcache-cluster
  --engine-version 1.6.22
  --apply-immediately

02 The command output should return the information available for the configured Memcached cache cluster:

{
	"CacheCluster": {
		"CacheClusterId": "cc-production-memcache-cluster",
		"ConfigurationEndpoint": {
			"Address": "cc-production-memcache-cluster.abcabc.cfg.use1.cache.amazonaws.com",
			"Port": 11211
		},
		"Engine": "memcached",

		...

		"AutoMinorVersionUpgrade": true,
		"TransitEncryptionEnabled": false,
		"AtRestEncryptionEnabled": false,
		"ARN": "arn:aws:elasticache:us-east-1:123456789012:cluster:cc-production-memcache-cluster",
		"ReplicationGroupLogDeliveryEnabled": false,
		"LogDeliveryConfigurations": []
	}
}

03 Repeat steps no. 1 and 2 for each Memcached cache cluster that you want to upgrade, available in the selected AWS cloud region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

Case B: Redis Cache Clusters

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Upgrade Redis Cache Engine to Latest Supported Version",
	"Resources": {
		"RedisReplicationGroup": {
			"Type": "AWS::ElastiCache::ReplicationGroup",
			"Properties": {
				"ReplicationGroupId": "cc-redis-cache-cluster",
				"ReplicationGroupDescription": "Production Replication Group",
				"NumCacheClusters": "2",
				"CacheNodeType": "cache.t2.micro",
				"CacheParameterGroupName": "default.redis6.x",
				"Engine": "redis",
				"EngineVersion": "6.2"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Upgrade Redis Cache Engine to Latest Supported Version
	Resources:
		RedisReplicationGroup:
		Type: AWS::ElastiCache::ReplicationGroup
		Properties:
			ReplicationGroupId: cc-redis-cache-cluster
			ReplicationGroupDescription: Production Replication Group
			NumCacheClusters: '2'
			CacheNodeType: cache.t2.micro
			CacheParameterGroupName: default.redis6.x
			Engine: redis
			EngineVersion: '6.2'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_elasticache_replication_group" "redis-cache-cluster" {

	replication_group_id        = "cc-redis-cache-cluster"
	description                 = "Production Replication Group"
	engine                      = "redis"
	node_type                   = "cache.t2.micro"
	num_cache_clusters          = 2
	parameter_group_name        = "default.redis6.x"

	# Upgrade Redis Cache Engine to Latest Supported Version
	engine_version              = "6.2"
	apply_immediately           = true

}

Using AWS CLI

01 To upgrade the Redis engine version for your Amazon ElastiCache cache cluster to the latest stable version supported by AWS, run modify-replication-group command (OSX/Linux/UNIX) with the name of the replication group that you want to upgrade as the identifier parameter. Include the --apply-immediately parameter in the command request if you want to apply the configuration change immediately. If the --apply-immediately is not specified, the configuration change will be processed during the next maintenance window:

aws elasticache modify-replication-group
  --region us-east-1
  --replication-group-id cc-production-redis-cluster
  --engine-version 7.1
  --apply-immediately

02 The command output should return the information available for the configured Redis replication group:

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-production-redis-cluster",
		"Status": "available",
		"PendingModifiedValues": {},
		"MemberClusters": [
			"cc-production-redis-cluster-001",
			"cc-production-redis-cluster-002"
		],

		...

		"MultiAZ": "enabled",
		"SnapshotRetentionLimit": 14,
		"SnapshotWindow": "05:00-06:00",
		"CacheNodeType": "cache.m5.large",
		"TransitEncryptionEnabled": true,
		"AtRestEncryptionEnabled": true,
	}
}

03 Repeat steps no. 1 and 2 for each Redis cache cluster that you want to configure, available in the selected AWS cloud region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Dec 20, 2017