Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Redis Keyspace Notifications

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Redis keyspace notifications are enabled for your Microsoft Azure Cache for Redis servers in order to allow clients to receive notifications when important events occur.

Security
Operational
excellence

Keyspace notifications in Azure Cache for Redis enable you to receive real-time alerts about events happening in your Redis cache instance (e.g., key modifications, expirations). This allows you to build reactive applications that can respond immediately to data changes, enabling use cases like cache invalidation, activity monitoring, and triggering serverless functions.

Audit

To determine whether Redis keyspace notifications are enabled for your Azure Cache for Redis servers, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list only the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to examine.

06 In the resource navigation panel, under Settings, select Advanced settings to access the advanced settings available for the selected resource.

07 Check the notify-keyspace-events setting box to determine if keyspace notifications are enabled for your Redis cache server. If the notify-keyspace-events setting box is empty, Redis keyspace notifications are not enabled for the selected Microsoft Azure Cache for Redis server.

08 Repeat steps no. 5 - 7 for each Azure Cache for Redis server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Cache for Redis server available in the selected subscription: 

az redis list
	--query '[*].id'

05 The command output should return the requested cache server IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-webapp-cache-server"
]

06 Run redis show command (Windows/macOS/Linux) with the ID of the Azure Cache for Redis server that you want to examine as the identifier parameter and custom output filters to determine if keyspace notifications are enabled for the selected cache server: 

az redis show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache"
	--query '{"notifyKeyspaceEvents":redisConfiguration.notifyKeyspaceEvents}'

07 The command output should return the "notifyKeyspaceEvents" configuration attribute value: 

{
	"notifyKeyspaceEvents": null
}

If the redis show command output returns null or an empty string (i.e., "") for the "notifyKeyspaceEvents" attribute value, Redis keyspace notifications are not enabled for the selected Microsoft Azure Cache for Redis server.

08 Repeat step no. 6 and 7 for each Azure Cache for Redis server available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Redis keyspace notifications for your Microsoft Azure Cache for Redis servers, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list only the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to configure.

06 In the resource navigation panel, under Settings, select Advanced settings to access the advanced settings available for the selected resource.

07 Type KEA in the notify-keyspace-events setting box and choose Save to enable Redis keyspace notifications for the selected Microsoft Azure Cache for Redis server. The keyword KEA can be used to enable most types of keyspace events. For more details about keyspace notifications configuration, see the Redis official documentation.

08 Repeat steps no. 5 – 7 for each Azure Cache for Redis server that you want to configure, available within the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis update command (Windows/macOS/Linux) to enable Redis keyspace notifications for the selected Microsoft Azure Cache for Redis server. The keyword KEA can be used to enable most types of keyspace events. For more details about keyspace notifications configuration, check the Redis official documentation: 

az redis update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache"
	--set "redisConfiguration.notifyKeyspaceEvents=KEA"

05 The command output should return the configuration information available for the modified Redis cache server: 

{
	"accessKeys": null,
	"disableAccessKeyAuthentication": false,
	"enableNonSslPort": true,
	"hostName": "cc-project5-redis-cache.redis.cache.windows.net",
	"identity": null,
	"instances": [
		{
			"isMaster": true,
			"isPrimary": true,
			"nonSslPort": 13000,
			"shardId": null,
			"sslPort": 15000,
			"zone": null
		},
		{
			"isMaster": false,
			"isPrimary": false,
			"nonSslPort": 13001,
			"shardId": null,
			"sslPort": 15001,
			"zone": null
		}
	],
	"linkedServers": [],
	"location": "West Europe",
	"minimumTlsVersion": "1.2",
	"name": "cc-project5-redis-cache",
	"port": 6379,
	"privateEndpointConnections": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"redisConfiguration": {
		"aadEnabled": "False",
		"additionalProperties": null,
		"aofBackupEnabled": null,
		"aofStorageConnectionString0": null,
		"aofStorageConnectionString1": null,
		"authnotrequired": null,
		"maxclients": "7500",
		"maxfragmentationmemoryReserved": "642",
		"maxmemoryDelta": "642",
		"maxmemoryPolicy": null,
		"maxmemoryReserved": "642",
		"notifyKeyspaceEvents": "KEA",
		"preferredDataArchiveAuthMethod": null,
		"preferredDataPersistenceAuthMethod": null,
		"rdbBackupEnabled": null,
		"rdbBackupFrequency": null,
		"rdbBackupMaxSnapshotCount": null,
		"rdbStorageConnectionString": null,
		"storageSubscriptionId": null,
		"zonalConfiguration": null
	},
	"redisVersion": "6.0",
	"replicasPerMaster": null,
	"replicasPerPrimary": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"shardCount": null,
	"sku": {
		"capacity": 1,
		"family": "P",
		"name": "Premium"
	},
	"sslPort": 6380,
	"staticIp": null,
	"subnetId": null,
	"tags": {},
	"tenantSettings": null,
	"type": "Microsoft.Cache/Redis",
	"updateChannel": "Stable",
	"zones": null
}

06 Repeat steps no. 4 and 5 for each Azure Cache for Redis server that you want to configure, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date May 12, 2025

Related RedisCache rules