Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements

The AWS PCI DSS Compliance program only includes Amazon ElastiCache for Redis as a PCI-compliant service. Redis versions 3.2.6, 4.0.10 and later are compliant to PCI-DSS so it is recommended to use these versions only

Risk Level: High
Cloud Entity: Amazon ElastiCache
CloudGuard Rule ID: D9.AWS.CRY.26.PCI
Covered by Spectral: Yes
Category: Database

GSL LOGIC

ElastiCache where engine='redis' should have (engineVersion='3.2.6' or engineVersion='3.2.10' or engineVersion>='4.0.10' or engineVersion>='5.0.0')

REMEDIATION

From Portal
To enable PCI DSS support on your ElastiCache for Redis cluster, your cluster and nodes within the cluster must satisfy the following requirements.
Create a PCI-Compliant ElastiCache for Redis cluster, you must use the latest Redis engine version 3.2.6, 4.0.10 or higher and current generation node types. Your cluster must be running ElastiCache for Redis 3.2.6, 4.0.10 and later for both cluster mode enabled and disabled.

  1. For each PCI-DSS environment, login to AWS console.
  2. Go to Amazon ElastiCache service: https://us-east-1.console.aws.amazon.com/elasticache.
  3. In the left navigation panel, click on 'Redis clusters'.
  4. Click on 'Create Redis cluster' and put necessary details.
  5. Review all your entries and choices, then make any needed corrections. When you are ready, choose 'Create'. Follow references section for more details on cluster creation steps.

From TF

resource "aws_elasticache_cluster" "test" {
	cluster_id           = "cluster-example"
	engine               = "redis"
	node_type            = "cache.m4.large"
	num_cache_nodes      = 1
	+ engine_version       = "5.0.0"  # minimum version: "4.0.10"
	port                 = 6379
}

From Command Line
Use following command to modify cache clusters

aws elasticache modify-cache-cluster --region REGION_NAME --cache-cluster-id CLUSTER_IDENTIFIER_VALUE --num-cache-nodes VALUE --engine-version 3.2.6 or 4.0.10 or later versions --apply-immediately

Note: You can upgrade to a newer engine version, but you cannot downgrade to an earlier engine version. If you want to use an earlier engine version, you must delete the existing cluster and create a new with the earlier engine version.

References

  1. https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/elasticache-compliance.html#elasticache-compliance-pci
  2. https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html
  3. https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/elasticache-compliance.html
  4. https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Create.html

Amazon ElastiCache

Amazon ElastiCache offers fully managed Redis and Memcached. Seamlessly deploy, operate, and scale popular open source compatible in-memory data stores. Build data-intensive apps or improve the performance of your existing apps by retrieving data from high throughput and low latency in-memory data stores. Amazon ElastiCache is a popular choice for Gaming, Ad-Tech, Financial Services, Healthcare, and IoT apps.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Well Architected Framework
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset