Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused ElastiCache Reserved Cache Nodes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EC-009

Ensure that all purchased Amazon ElastiCache Reserved Nodes (RNs) have corresponding nodes running within the same AWS account or within any linked AWS accounts available in an AWS Organization (if you are using one). A corresponding node is an ElastiCache cluster node that matches reservation parameters such as Region and Node Type.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Cost
optimisation

When an Amazon ElastiCache Reserved Node is not used (i.e. does not have a running corresponding node) the investment made is not valorized. For example, if you reserve a cache.m5.large cluster node within US East (N. Virginia) region and you don't launch a node with the same type, in the same region of the same AWS account (or in any other member AWS accounts available within your AWS Organization), the specified Reserved Node is considered unused and you end up paying for cloud resources that you don't use.


Audit

To determine if you have any unused Amazon ElastiCache Reserved Nodes (RNs) within your AWS cloud account or AWS Organization, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Reserved nodes to access the cache nodes reserved for the current AWS region.

04 Click on the name (link) of the active Redis/Memcached cache node that you want to examine. An active cache node has the Status set to Active.

05 In the the Reserved node details section, identify the cache engine and the node type, listed under Engine and Node type.

06 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis or Memcached caches to access the cache clusters created with Memcached.

07 Choose the Redis/Memcached cluster that you want to examine for corresponding cache nodes and check the node type listed in the Configuration column to determine if there are corresponding Reserved Nodes purchased for the selected cache cluster.

08 Repeat step no. 7 for each Redis/Memcached cache cluster provisioned within the current AWS region. If none of the verified clusters have active nodes matching the node type identified in step 5, the selected Reserved Node (RN) does not correspond to any running nodes within your Amazon ElastiCache clusters. Consequently, the selected ElastiCache Reserved Node (RN) is not being utilized.

09 If your AWS account is member of an AWS Organization, access the Redis caches/Memcached caches page available for each linked account, select the same AWS cloud region, and repeat steps no. 7 and 8 to check for active corresponding ElastiCache cluster cache nodes.

10 Repeat steps no. 4 – 9 for each Amazon ElastiCache Reserved Node (RN) available within the current AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-reserved-cache-nodes command (OSX/Linux/UNIX) with custom query filters to describe the node type for each Amazon ElastiCache Reserved Node purchased in the selected AWS region:

aws elasticache describe-reserved-cache-nodes
  --region us-east-1
  --output table
  --query 'ReservedCacheNodes[*].CacheNodeType'

02 The command output should return a table with the requested ElastiCache RN node types:

----------------------------
|DescribeReservedCacheNodes|
+--------------------------+
|      cache.m5.large      |
|      cache.t3.medium     |
+--------------------------+

03 Run describe-cache-clusters command (OSX/Linux/UNIX) to list the identifier (name) of each Amazon ElastiCache cluster available in the selected AWS cloud region:

aws elasticache describe-cache-clusters
  --region us-east-1
  --output table
  --query 'CacheClusters[*].CacheClusterId'

04 The command output should return a table with the requested cluster names:

-------------------------------------
|       DescribeCacheClusters       |
+-----------------------------------+
|  cc-production-memcache-cluster   |
|  cc-production-redis-cluster-001  |
|  cc-production-redis-cluster-002  |
+-----------------------------------+

05 Run again describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Amazon ElastiCache cluster that you want to examine as the identifier parameter and custom output filters to describe the type of the cache node configured for the selected Redis/Memcached cluster:

aws elasticache describe-cache-clusters
  --region us-east-1
  --cache-cluster-id cc-production-memcache-cluster
  --query 'CacheClusters[*].CacheNodeType'

06 The command output should return the requested cluster node information:

[
	"cache.m5.xlarge"
]

Repeat steps no. 5 and 6 for each Amazon ElastiCache cluster provisioned in the selected AWS region. If none of the verified clusters have active cache nodes that match the reservation type (i.e. node type) identified in step 2, the selected Reserved Node (RN) does not have a corresponding cluster node provisioned in the selected AWS region. Therefore, the selected ElastiCache Reserved Node (RN) is not utilized.

07 Repeat steps no. 3 – 6 for each ElastiCache Reserved Node (RN) available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Audit process for other AWS regions.

Remediation / Resolution

Once purchased, Amazon ElastiCache Reserved Nodes (RNs) can't be modified or canceled, and you will be billed for these resources regardless of whether you use them or not. To make use of your investment, you can provision and utilize a corresponding ElastiCache cluster node for each unused Reserved Node purchased within your AWS account or within any other member accounts available in your AWS Organization (if you are using one). To provision new Amazon ElastiCache clusters using nodes that match the RNs purchase criteria, perform the following actions:

Case A: Memcached Cache Clusters

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, select Memcached caches, and choose Create Memcached cache to create a new Memcached cache cluster.

04 On the Create Memcached cache setup page, perform the following operations:

  1. For Step 1 Cluster settings, perform the following actions:
    • For Choose a cluster creation method, set Deployment option to Design your own cache and Standard create.
    • For Location select AWS Cloud.
    • For Cluster info, provide a unique name for the new cache cluster in the Name box. (Optional) Enter a short description in the Description - optional box.
    • For Cluster settings, select the Memcached engine version from the Engine version dropdown list, choose the right parameter group from the Parameter groups list, select the appropriate Node type (must match the node type used by your active Reserved Node), and enter the number of nodes to provision in the Number of nodes box.
    • For Connectivity, choose the IP version(s) that this cluster will support from the Network type dropdown list and select an existing VPC subnet group from the Subnet groups list. To create a new subnet group, choose Create a new subnet group and provide the required VPC information.
    • For Availability Zone placements, you can configure placements for the supported Availability Zones (AZs).
    • Choose Next to continue the setup process.
  2. For Step 2 Advanced settings, perform the following operations:
    • For Security, check Enable under Encryption in transit to enable encryption in transit, and choose Manage under Selected security groups to select the security groups required to control network access to your cluster.
    • For Maintenance, set Maintenance window, and choose an SNS topic for alert notifications from the Topic for Amazon SNS notification dropdown list.
    • (Optional) For Tags, you can create tags to search and filter your cache clusters or track your AWS costs.
    • Choose Next to continue the setup.
  3. For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch your new Memcached cache cluster.

05 If required, repeat steps no. 3 and 4 to provision more Amazon ElastiCache clusters with corresponding cache nodes for Reserved Nodes (RN) purchased in the current AWS region/account or within any other member accounts available in your AWS Organization.

06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Launch your new Memcached cache cluster with the create-cache-cluster command (OSX/Linux/UNIX), using the appropriate cache node type (must match the node type used by your active Reserved Node):

aws elasticache create-cache-cluster
  --region us-east-1
  --cache-cluster-id "cc-new-production-memcache-cluster"
  --az-mode "single-az"
  --preferred-availability-zone "us-east-1a"
  --num-cache-nodes 2
  --cache-node-type "cache.m5.large"
  --engine "memcached"
  --engine-version "1.6.22"
  --security-group-ids "sg-0abcd1234abcd1234"
  --cache-subnet-group-name "cc-memcache-cluster-sg"

02 The command output should return the information available for the new Memcached cache cluster:

{
	"CacheCluster": {
		"CacheClusterId": "cc-new-production-memcache-cluster",
		"CacheNodeType": "cache.m5.large",
		"Engine": "memcached",
		"EngineVersion": "1.6.22",
		"CacheClusterStatus": "creating",
		"NumCacheNodes": 2,
		"PreferredAvailabilityZone": "us-east-1a",

		...

		"PendingModifiedValues": {},
		"CacheSecurityGroups": [],
		"TransitEncryptionEnabled": true,
		"AtRestEncryptionEnabled": false,
		"ARN": "arn:aws:elasticache:us-east-1:123456789012:cluster:cc-new-production-memcache-cluster",
		"ReplicationGroupLogDeliveryEnabled": false,
		"LogDeliveryConfigurations": []
	}
}

03 If required, Repeat steps no. 1 and 2 to provision more Amazon ElastiCache clusters with corresponding cache nodes for Reserved Nodes purchased in the current AWS region/account or within any other member accounts available in your AWS Organization.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

Case B: Redis Cache Clusters

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, select Redis caches, and choose Create Redis cache to create a new Redis cache cluster.

04 On the Create Redis cache setup page, perform the following operations:

  1. For Step 1 Cluster settings, perform the following actions:
    • For Configuration, set Deployment option to Design your own cache and Creation method to Cluster cache.
    • For Cluster mode, choose the cluster mode required for your application.
    • For Cluster info, provide a unique name for the new cache cluster in the Name box. (Optional) Enter a short description in the Description - optional box.
    • For Location, choose AWS Cloud. Choose whether or not to deploy the new cluster with a multi-AZ and/or failover configuration.
    • For Cluster settings, select the Redis engine version from the Engine version dropdown list, choose the right parameter group from the Parameter groups list, select the appropriate Node type (must match the node type used by your active Reserved Node), and enter the number of replicas to provision in the Number of replicas box.
    • For Connectivity, choose the IP version(s) that this cluster will support from the Network type dropdown list and select an existing VPC subnet group from the Subnet groups list. To create a new subnet group, choose Create a new subnet group and provide the required VPC information.
    • For Availability Zone placements, you can configure placements for the supported Availability Zones (AZs).
    • Choose Next to continue the setup process.
  2. For Step 2 Advanced settings, perform the following operations:
    • For Security, check Enable under Encryption at rest and select an encryption key to enable encryption at rest, check Enable under Encryption in transit to enable encryption in transit, and choose Manage under Selected security groups to select the security groups necessary for controlling network access to your cluster.
    • For Backup, check Enable automatic backups to enable automatic backups. Configure the Backup retention period and preferred Backup window.
    • For Maintenance, set Maintenance window, check Enable under Auto upgrade minor versions to enable auto minor version upgrades, and choose an SNS topic for alert notifications from the Topic for Amazon SNS notification list.
    • For Logs, check Enable under Slow logs and Engine logs to enable Redis engine logs and slow logs for teh new cluster. Choose the required Log format and Log destination type for each log type.
    • (Optional) For Tags, you can create tags to search and filter your cache clusters or track your AWS costs.
    • Choose Next to continue the setup.
  3. For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch your new Redis cache cluster.

05 If required, repeat steps no. 3 and 4 to provision more Amazon ElastiCache clusters with corresponding cache nodes for Reserved Nodes (RN) purchased in the current AWS region/account or within any other member accounts available in your AWS Organization.

06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Create your new Redis replication group with the create-replication-group command (OSX/Linux/UNIX), using the appropriate cache node type (must match the node type used by your active Reserved Node):

aws elasticache create-replication-group
  --region us-east-1
  --replication-group-id "cc-new-production-redis-cluster"
  --replication-group-description "Redis Cache Replication Group"
  --engine "redis"
  --num-cache-clusters 2
  --cache-node-type "cache.m5.large"
  --no-multi-az-enabled
  --cache-subnet-group-name "cc-redis-cache-sg"

02 The command output should return the information available for the new Redis cache cluster:

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-new-production-redis-cluster",
		"Description": "Redis Cache Replication Group",
		"GlobalReplicationGroupInfo": {},
		"Status": "creating",
		"PendingModifiedValues": {},
		"MemberClusters": [
			"cc-new-production-redis-cluster-001",
			"cc-new-production-redis-cluster-002"
		],

		...

		"SnapshotRetentionLimit": 0,
		"SnapshotWindow": "06:00-07:00",
		"ClusterEnabled": false,
		"CacheNodeType": "cache.m5.large",
		"TransitEncryptionEnabled": false,
		"AtRestEncryptionEnabled": false,
		"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-new-production-redis-cluster",
		"LogDeliveryConfigurations": [],
		"DataTiering": "disabled"
	}
}

03 If required, repeat steps no. 1 and 2 to provision more Amazon ElastiCache clusters with corresponding cache nodes for Reserved Nodes (RN) purchased in the current AWS region/account or within any other member accounts available in your AWS Organization.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Mar 7, 2017