Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Preferred Maintenance Window for ElastiCache Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon ElastiCache clusters are configured with a preferred maintenance window. The preferred maintenance window is the weekly time range, in Universal Coordinated Time (UTC), during which any system changes are applied. Before running this conformity rule, the preferred maintenance window must be configured in the rule settings, in your Trend Cloud One™ – Conformity account, based on the AWS region, using the following format: ddd:hh24:mi-ddd:hh24:mi (e.g. sat:03:00-sat:03:30).

Reliability

Amazon Web Services (AWS) performs regular maintenance on ElastiCache resources. Maintenance often involves updates to the cluster's underlying Operating System (OS) or the cache engine version. These maintenance and service updates are required to apply upgrades that strengthen security, reliability, and operational performance. The default maintenance window is a 60-minute window selected at random for each AWS cloud region. The 60-minute maintenance window is chosen at random from an 8-hour block of time per region. Because your Amazon ElastiCache clusters may become unavailable during maintenance operations, you may want to configure the maintenance window to a time in which your cache cluster is under its lowest load. This time frame represents the preferred maintenance window and must be compliant with the weekly time range configured in the conformity rule settings.


Audit

To determine if there is a preferred maintenance window configured for your Amazon ElastiCache clusters, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Configure Preferred Maintenance Window for ElastiCache Clusters conformity rule settings, and identify the preferred maintenance window defined for your Amazon ElastiCache clusters in the specified AWS region.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

04 For Redis cache clusters:

  1. In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.
  2. Click on the name (link) of the Redis cache cluster that you want to examine.
  3. Select the Maintenance and backups tab and check the Maintenance window attribute value, in the Maintenance section, to identify the maintenance window configured for the selected cache cluster. Compare the Maintenance window value (time interval) with the maintenance window defined in the conformity rule settings for the ElastiCache clusters available in the selected AWS region. If the cluster maintenance window is different than the one identified at step no. 1, the preferred maintenance window set for the selected Redis cache cluster is not compliant.

05 For Memcached cache clusters:

  1. In the navigation panel, under Resources, choose Memcached caches to access the cache clusters created with Memcached.
  2. Click on the name (link) of the Memcached cache cluster that you want to examine.
  3. Select the Maintenance tab and check the Maintenance window attribute value, in the Maintenance section, to identify the maintenance window configured for the selected cache cluster. Compare the Maintenance window value with the maintenance window defined in the conformity rule settings for the cache clusters available in the selected AWS region. If the cluster maintenance window is different than the one identified at step no. 1, the preferred maintenance window set for the selected Memcached cache cluster is not compliant.

06 Repeat steps no. 4 and 5 for each Amazon ElastiCache cluster provisioned within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Configure Preferred Maintenance Window for ElastiCache Clusters conformity rule settings, and identify the preferred maintenance window defined for your Amazon ElastiCache clusters in the specified AWS region.

02 Run describe-cache-clusters command (OSX/Linux/UNIX) to list the identifier (name) of each Amazon ElastiCache cluster available in the selected AWS cloud region:

aws elasticache describe-cache-clusters
  --region us-east-1
  --output table
  --query 'CacheClusters[*].CacheClusterId'

03 The command output should return a table with the requested cluster names:

-------------------------------------
|       DescribeCacheClusters       |
+-----------------------------------+
|  cc-production-memcache-cluster   |
|  cc-production-redis-cluster-001  |
|  cc-production-redis-cluster-002  |
+-----------------------------------+

04 Run describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Amazon ElastiCache cluster that you want to examine as the identifier parameter and custom output filters to describe the preferred maintenance window configured for the selected cache cluster:

aws elasticache describe-cache-clusters
  --region us-east-1
  --cache-cluster-id cc-production-memcache-cluster
  --query 'CacheClusters[*].PreferredMaintenanceWindow'

05 The command output should return the requested cluster maintenance information:

[
	"thu:09:30-thu:10:30"
]

If the maintenance window returned by the describe-cache-clusters command output is different than the one identified at step no. 1, the preferred maintenance window set for the selected Amazon ElastiCache cluster is not compliant.

06 Repeat steps no. 4 and 5 for each ElastiCache cluster provisioned in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the Audit process for other regions.

Remediation / Resolution

Your Amazon ElastiCache clusters may become unavailable during maintenance operations. Therefore, you may want to change the preferred maintenance window to a time in which your cache clusters are under their lowest load. To update the preferred maintenance window for your Amazon ElastiCache clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis or Memcached caches to access the cache clusters created with Memcached.

04 Select the Redis/Memcached cache cluster that you want to configure, choose Actions, and select Modify to configure the maintenance settings for the selected cluster.

05 In the Maintenance section, use the Maintenance start day, Maintenance start time, and Maintenance duration controls to configure the preferred maintenance window to a time in which your Amazon ElastiCache cluster is under its lowest load, as defined in the conformity rule settings, in your Trend Cloud One™ – Conformity account.

06 Choose Preview changes and select Yes under Apply immediately if you want to apply the changes immediately. If Yes is not selected, the changes will be processed during the next maintenance window. Choose Modify to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each ElastiCache cache cluster that you want to configure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 For Redis cache clusters:

  1. Run describe-replication-groups command (OSX/Linux/UNIX) to list the identifier (name) of each Redis replication group available in the selected AWS cloud region:
    aws elasticache describe-replication-groups
      --region us-east-1
      --output table
      --query 'ReplicationGroups[*].ReplicationGroupId'
    
  2. The command output should return a table with the requested resource names:
    ----------------------------------
    |   DescribeReplicationGroups    |
    +--------------------------------+
    |  cc-production-redis-cluster   |
    |  cc-webapp-redis-cache-cluster |
    +--------------------------------+
    
  3. Run modify-replication-group command (OSX/Linux/UNIX) with the name of the Redis cache replication group that you want to configure as the identifier parameter, to set the preferred maintenance window as defined in the conformity rule settings, in your Trend Cloud One™ – Conformity account. The compliant maintenance window must be configured using the ddd:hh24:mi-ddd:hh24:mi format, where the valid days are mon, tue, wed, thu, fri, sat, and sun. The window must have 60 minutes and must be specified in Coordinated Universal Time (UTC). Include --apply-immediately parameter in your command request if you want to apply the change immediately. If --apply-immediately is not specified, the configuration change will be processed during the next maintenance window:
    aws elasticache modify-replication-group
      --region us-east-1
      --replication-group-id cc-production-redis-cluster
      --preferred-maintenance-window sun:03:00-sun:04:00
    
  4. The command output should return the information available for the configured Redis cache replication group:
    {
    	"ReplicationGroup": {
    		"ReplicationGroupId": "cc-production-redis-cluster",
    		"GlobalReplicationGroupInfo": {},
    		"Status": "available",
    		"PendingModifiedValues": {},
    		"MemberClusters": [
    			"cc-production-redis-cluster-001",
    			"cc-production-redis-cluster-002"
    		],
    
    		...
    
    		"AutomaticFailover": "disabled",
    		"MultiAZ": "disabled",
    		"SnapshotWindow": "05:30-06:30",
    		"CacheNodeType": "cache.m5.large",
    		"TransitEncryptionEnabled": false,
    		"AtRestEncryptionEnabled": false,
    		"LogDeliveryConfigurations": [],
    		"DataTiering": "disabled"
    	}
    }
    

02 For Memcached cache clusters:

  1. Run modify-cache-cluster command (OSX/Linux/UNIX) with the name of the Memcached cache cluster that you want to configure as the identifier parameter, to update the preferred maintenance window to a time in which your cluster is under its lowest load (as defined in the conformity rule settings, in your Trend Cloud One™ – Conformity account). The compliant maintenance window must be configured using the ddd:hh24:mi-ddd:hh24:mi format, where the valid days are mon, tue, wed, thu, fri, sat, and sun. The window must have 60 minutes and must be specified in Coordinated Universal Time (UTC). The following command example updates the preferred maintenance window for the selected cache cluster to Sunday between 03:00 and 04:00 AM (UTC). Include --apply-immediately parameter in your command request if you want to apply the change immediately. If --apply-immediately is not specified, the configuration change will be processed during the next maintenance window:
    aws elasticache modify-cache-cluster
      --region us-east-1
      --cache-cluster-id cc-production-memcache-cluster
      --preferred-maintenance-window sun:03:00-sun:04:00
      --query 'CacheCluster.PreferredMaintenanceWindow'
    
  2. The command output should return the new maintenance window configured for the specified Memcached cache cluster:
    "sun:03:00-sun:04:00"
    

03 Repeat steps no. 1 and 2 for each ElastiCache cache cluster that you want to configure, available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Jun 17, 2024