Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Instance Generation

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC-001

Ensure that all the Amazon ElastiCache cache clusters provisioned in your AWS cloud account are using the latest generation of cache node types in order to get the best performance with lower costs. If you are using cache nodes from the previous generation, Trend Cloud One™ – Conformity strongly recommends that you upgrade your nodes with their latest generation equivalents.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency
Cost
optimisation

Using the latest generation of Amazon ElastiCache cluster nodes instead of the previous generation nodes has tangible benefits such as better hardware performance (more computing capacity and faster CPUs, memory optimization, superior I/O, and higher network throughput), better support for the newest Redis/Memcached engine versions, and lower costs for CPU, memory, and storage.

Audit

To determine if there are any ElastiCache clusters running on cache nodes from the previous generation available in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis or Memcached caches to access the cache clusters created with Memcached.

04 Click on the name (link) of the Redis/Memcached cache cluster that you want to examine.

05 In the Cluster details section, check the Node type attribute value to determine if the cache cluster is using a node type from a previous generation. If the node type used for the selected ElastiCache cache cluster is from the previous generation, the node type should be listed on this page, in the Previous Generation Node type list.

06 Repeat steps no. 4 and 5 for each Amazon ElastiCache cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-cache-clusters command (OSX/Linux/UNIX) to list the name of each Amazon ElastiCache cluster available in the selected AWS cloud region: 

aws elasticache describe-cache-clusters
  --region us-east-1
  --output table
  -query 'CacheClusters[*].CacheClusterId'

02 The command output should return a table with the requested cluster names: 

-------------------------------------
|       DescribeCacheClusters       |
+-----------------------------------+
|  cc-production-memcache-cluster   |
|  cc-production-redis-cluster-001  |
|  cc-production-redis-cluster-002  |
+-----------------------------------+

03 Run describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Amazon ElastiCache cluster that you want to examine as the identifier parameter and custom output filters to describe the type of the node configured for the selected cache cluster: 

aws elasticache describe-cache-clusters
  --region us-east-1
  --cache-cluster-id cc-production-memcache-cluster
  --query 'CacheClusters[*].CacheNodeType'

04 The command output should return the requested cluster node information: 

[
	"cache.m3.large"
]

If the node type used for the selected Amazon ElastiCache cache cluster, returned by the describe-cache-clusters command output, is from the previous generation, the node type should be listed on this page, in the Previous Generation Node type list.

05 Repeat steps no. 3 and 4 for each ElastiCache cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other AWS regions.

Remediation / Resolution

To upgrade your previous generation Amazon ElastiCache cluster nodes to their latest generation equivalents, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis or Memcached caches to access the cache clusters created with Memcached.

04 Select the Redis/Memcached cache cluster that you want to configure, choose Actions, and select Modify to configure the cache cluster settings.

05 In the Cluster settings section, use the Node type dropdown list to select the latest generation node type, equivalent to the previous generation type. The chosen node type must meets your processing power and memory requirements. Access the official AWS documentation available here to make sure that you choose the right type for your Amazon ElastiCache cluster nodes.

06 Choose Preview changes and select Yes under Apply immediately if you want to apply the changes immediately. If Yes is not selected, the changes will be processed during the next maintenance window. Choose Modify to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each ElastiCache cache cluster that you want to configure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 For Redis cache clusters:

  1. Run describe-replication-groups command (OSX/Linux/UNIX) to list the identifier (name) of each Redis replication group available in the selected AWS cloud region: 
    aws elasticache describe-replication-groups
  --region us-east-1
  --output table
  --query 'ReplicationGroups[*].ReplicationGroupId'
  2. The command output should return a table with the requested resource names: 
    ----------------------------------
|   DescribeReplicationGroups    |
+--------------------------------+
|  cc-production-redis-cluster   |
|  cc-webapp-redis-cache-cluster |
+--------------------------------+
  3. Run modify-replication-group command (OSX/Linux/UNIX) with the name of the Redis cache replication group that you want to configure as the identifier parameter, to upgrade the cache nodes for the selected replication group to the latest generation type, equivalent to the previous generation type. Access the official AWS documentation available here to make sure that you choose the right type for your Amazon ElastiCache cluster nodes. The following command request example makes use of the --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your ElastiCache application. If the --apply-immediately parameter is not specified, the configuration change will be processed during the next maintenance window. The following command request example upgrades the node type from "cache.m3.large" (previous generation) to "cache.m5.large" (latest generation): 
    aws elasticache modify-replication-group
  --region us-east-1
  --replication-group-id cc-production-redis-cluster
  --cache-node-type cache.m5.large
  --apply-immediately
  4. The command output should return the information available for the configured Redis cache replication group: 
    {
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-production-redis-cluster",
		"GlobalReplicationGroupInfo": {},
		"Status": "available",
		"PendingModifiedValues": {},
		"MemberClusters": [
			"cc-production-redis-cluster-001",
			"cc-production-redis-cluster-002"
		],

		...

		"AutomaticFailover": "disabled",
		"MultiAZ": "disabled",
		"SnapshotWindow": "05:30-06:30",
		"CacheNodeType": "cache.m5.large",
		"TransitEncryptionEnabled": false,
		"AtRestEncryptionEnabled": false,
		"DataTiering": "disabled"
	}
}

02 For Memcached cache clusters:

  1. Run modify-cache-cluster command (OSX/Linux/UNIX) to upgrade the cache nodes for the selected Memcached cluster to the latest generation type, equivalent to the previous generation type. Access the official AWS documentation available here to make sure that you choose the right type for your Amazon ElastiCache cluster nodes. The following command request example makes use of the --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your ElastiCache application. If the --apply-immediately parameter is not specified, the configuration change will be processed during the next maintenance window. The following command request example upgrades the node type from "cache.m3.large" (previous generation) to "cache.m5.large" (latest generation): 
    aws elasticache modify-cache-cluster
  --region us-east-1
  --cache-cluster-id cc-production-memcache-cluster
  --cache-node-type cache.m5.large
  --apply-immediately
  2. The command output should return the information available for the configured Memcached cache cluster: 
    {
	"CacheCluster": {
		"Engine": "memcached",
		"CacheParameterGroup": {
			"CacheParameterGroupName": "default.memcached1.6",
			"ParameterApplyStatus": "in-sync"
		},
		"CacheClusterId": "cc-production-memcache-cluster",
		"ConfigurationEndpoint": {
			"Port": 11211,
			"Address": "cc-production-memcache-cluster.abc.cache.amazonaws.com"
		},

		...

		"CacheClusterStatus": "modifying",
		"NumCacheNodes": 2,
		"TransitEncryptionEnabled": false,
		"CacheSubnetGroupName": "default",
		"EngineVersion": "1.6.22",
		"PendingModifiedValues": {
			"EngineVersion": "1.6.22"
		},
		"CacheNodeType": "cache.m5.large"
	}
}

03 Repeat steps no. 1 and 2 for each ElastiCache cache cluster that you want to configure, available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Oct 19, 2016

Related ElastiCache rules