Guides

Ensure that the latest version of Redis is used for your AWS ElastiCache clusters

Maintain optimal performance and security by mandating the use of the most up-to-date Redis versions for your AWS ElastiCache clusters.

Suggest Edits

Risk Level: Low
Cloud Entity: Amazon ElastiCache
CloudGuard Rule ID: D9.AWS.OPE.27
Covered by Spectral: No
Category: Database

GSL LOGIC

ElastiCache where engine='redis' should have engineVersion>='7.0.7'

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console.
  2. Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.
  3. Go into the 'Redis' clusters tab in the left section.
  4. For every cluster listed, click on it's name. Check the version in the 'Engine version'. If the version is under 7.0.7, its not the latest version - thus needs to be modified.
  5. Click on the 'Modify' button in the top left corner of the page, and then scroll until you reach the 'Cluster settings' tab.
  6. Click the 'Engine version' button, and select the first one (should show 7.0 - but it's 7.0.7 under the hood).
  7. Click on 'Preview changes' at the bottom of the page.
  8. Make sure you select the 'Apply immediately' checkbox. Then press 'Modify' at the bottom of the page.
  9. Repeat these steps for every cluster that doesn't have the latest version of the engine, and don't forget to check your other regions as well.

From TF

  1. To changed the Redis cluster's engine version, use the following keys template:
resource 'aws_elasticache_cluster' 'example_redis' {
	...
	engine               = 'redis'
	...
	engine_version       = '7.0.7'
}

From Command Line

  1. To check for the engine version in the every cluster in a specific region, run the following command:
aws elasticache describe-cache-clusters --region EXAMPLE_REGION_NAME --output table --query 'CacheClusters[*].[CacheClusterId, Engine, EngineVersion]'
  1. If any redis cluster's engine version is not 7.0.7, run the following command (using the first column's value as the cluster id - without the '-001 / -002 / -00x'):
aws elasticache modify-replication-group --region EXAMPLE_REGION_NAME --replication-group-id EXAMPLE_REDIS_ID --engine-version 7.0 --apply-immediately
  1. Repeat these steps for every cluster that doesn't have the latest version of the engine, and don't forget to check your other regions as well.

References

  1. https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster

Amazon ElastiCache

Amazon ElastiCache offers fully managed Redis and Memcached. Seamlessly deploy, operate, and scale popular open source compatible in-memory data stores. Build data-intensive apps or improve the performance of your existing apps by retrieving data from high throughput and low latency in-memory data stores. Amazon ElastiCache is a popular choice for Gaming, Ad-Tech, Financial Services, Healthcare, and IoT apps.

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset

Updated about 1 year ago