ElastiCache Nodes Counts

Risk Level: Medium (should be achieved)

Rule ID: EC-010

Ensure that the number of Amazon ElastiCache cluster cache nodes provisioned within your AWS cloud account doesn't exceed the ElastiCache workload quota set by your organization. TrendAI Vision One™ Cloud Risk Management sets a default threshold of 5 nodes, but you can adjust it to your needs and configure the maximum threshold for ElastiCache cluster nodes across all AWS regions. Cloud Risk Management will continuously scan your AWS account and notify you via configured notification channels if the specified limit is reached. If the ElastiCache quota is reached, you can request a limit increase through AWS Support Center.

This rule can help you with the following compliance standards:

APRA
MAS

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

Cost
optimisation

Monitoring and setting limits for the maximum number of ElastiCache cluster nodes available in your AWS account helps you manage compute resources effectively and prevent unexpected charges. For instance, without limits, users could create more clusters than allowed by organization policy, exceeding the cloud computing budget. Additionally, a compromised account could be used to create large, expensive ElastiCache clusters for malicious purposes.

The threshold for the maximum number of ElastiCache cluster nodes per AWS account set for this rule is 5 (default threshold).

Audit

To determine the number of ElastiCache cluster nodes provisioned within your AWS account, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.
In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis or Memcached caches to access the cache clusters created with Memcached.
Click on the name (link) of the Redis/Memcached cache cluster that you want to examine.
Select the Nodes tab and check the total number of cache nodes, i.e Nodes (\), provisioned for the selected cache cluster.
Repeat steps no. 4 and 5 for each Amazon ElastiCache cluster available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat steps no. 4 - 6 for each region where ElastiCache clusters are deployed. If the total number of available ElastiCache cluster nodes provisioned in your AWS account exceeds the ElastiCache cluster nodes quota set by your organization, you can create an AWS support case to limit the number of cache nodes based on your requirements.

Using AWS CLI

Run describe-cache-clusters command (OSX/Linux/UNIX) with custom output filters to list the number of cache nodes provisioned for each Amazon ElastiCache cluster available in the selected AWS clous region:
```
aws elasticache describe-cache-clusters
  --region us-east-1
  --query 'CacheClusters[*].[Engine,NumCacheNodes]'
```
The command output should return an array that contains pairs of data representing the cache engine type (i.e. Memcached and/or Redis) and the number of cache nodes provisioned for each ElastiCache cluster available in the selected AWS region:
```
[
	[
		"memcached",
		20
	],
	[
		"redis",
		16
	],
	[
		"redis",
		16
	]
]
```
Repeat steps no. 1 and 2 for each region where ElastiCache clusters are deployed. If the total number of available ElastiCache cluster nodes provisioned in your AWS account exceeds the ElastiCache cluster nodes quota set by your organization, you can raise an AWS support case to limit the number of cache nodes that can be created in your AWS account.

Remediation / Resolution

To create an AWS support case in order to request limiting the number of provisioned ElastiCache cluster nodes in your AWS cloud account based on your requirements, perform the following actions:

Note: Requesting a limit for the number of ElastiCache cluster nodes per region via AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Support Center console available at https://console.aws.amazon.com/support/.
In the main navigation panel, choose Your support cases.
Choose Create case and perform the following operations:
1. For How can we help? select Looking for service quota increases?.
2. In the Looking for service quota increases? confirmation box choose Create a case instead.
3. For Service select ElastiCache nodes.
4. For Requests, under Request 1, provide the following information:
  1. For Region select the AWS region where you need to limit the creation of ElastiCache cluster nodes.
  2. For Quota choose Nodes per region.
  3. In the New quota value box, enter the limit value to request for the number of provisioned cache nodes.
5. In the Use Case Description textbox, enter a brief description where you explain the limit request, to help AWS support promptly evaluate your case.
6. For Contact options, perform the following actions:
  1. For Preferred contact language, choose your preferred correspondence language for the current support case.
  2. For Contact methods, select a preferred contact method that AWS support team can use to respond to your request.
7. Choose Submit to send the limit request to Amazon Web Services (AWS). A customer support representative will contact you shortly.

References

AWS Documentation
Amazon ElastiCache FAQs
ElastiCache for Memcached components and features
Redis nodes and shards
Creating a service quota increase

AWS Command Line Interface (CLI) Documentation
describe-cache-clusters

Publication date Sep 23, 2017

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

References

Related ElastiCache rules