Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Redis Multi-AZ

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC-002

Ensure that your Amazon ElastiCache Redis cache clusters are using a Multi-AZ deployment configuration to enhance reliability through automatic failover. The Multi-AZ feature uses a read replica in case of a primary cache node failure.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Enabling the Multi-AZ feature for your Redis cache clusters will improve the fault tolerance in case the read/write primary node becomes unreachable due to loss of network connectivity or loss of availability in the primary's Availability Zone (AZ).

Audit

To determine if your Amazon ElastiCache Redis cache clusters are using a Multi-AZ configuration, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.

04 Click on the name (link) of the Redis cache cluster that you want to examine.

05 In the Cluster details section, check the Multi-AZ configuration attribute value. If the Multi-AZ attribute value is set to Disabled, the selected Amazon ElastiCache Redis cache cluster is not using a Multi-AZ deployment configuration for enhanced reliability.

06 Repeat steps no. 4 and 5 for each Redis cache cluster provisioned within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-replication-groups command (OSX/Linux/UNIX) with custom query filters to list the identifier of each Redis cache replication group available in the selected AWS region: 

aws elasticache describe-replication-groups
  --region us-east-1
  --output table
  --query 'ReplicationGroups[*].ReplicationGroupId'

02 The command output should return a table with the requested resource names: 

-----------------------------------
|    DescribeReplicationGroups    |
+---------------------------------+
|  cc-production-cache-cluster    |
|  cc-web-platform-cache-cluster  |
+---------------------------------+

03 Run describe-replication-groups command (OSX/Linux/UNIX) with the name of the Redis cache replication group that you want to examine as the identifier parameter and custom output filters to determine if the selected replication group is using a Multi-AZ deployment configuration: 

aws elasticache describe-replication-groups
  --region us-east-1
  --replication-group-id cc-production-cache-cluster
  --query 'ReplicationGroups[*].MultiAZ'

04 The command output should return the Multi-AZ feature status available for the selected cache cluster: 

[
	"disabled"
]

If the describe-replication-groups command output returns disabled, as shown in the output example above, the selected Amazon ElastiCache Redis cache cluster is not using a Multi-AZ deployment configuration for enhanced reliability.

05 Repeat steps no. 3 and 4 for each Redis cache cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other AWS cloud regions.

Remediation / Resolution

To enable the Multi-AZ feature for your Amazon ElastiCache Redis cache clusters in order to enhance reliability through automatic failover, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Multi-AZ for Redis Cache Replication Groups",
	"Resources": {
		"RedisReplicationGroup": {
			"Type": "AWS::ElastiCache::ReplicationGroup",
			"Properties": {
				"ReplicationGroupId": "cc-redis-cache-cluster",
				"ReplicationGroupDescription": "Multi-AZ Replication Group",
				"Engine": "redis",
				"EngineVersion": "6.2",
				"NumCacheClusters": "2",
				"CacheNodeType": "cache.t2.micro",
				"CacheParameterGroupName": "default.redis6.x",
				"MultiAZEnabled": true
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Multi-AZ for Redis Cache Replication Groups
	Resources:
		RedisReplicationGroup:
		Type: AWS::ElastiCache::ReplicationGroup
		Properties:
			ReplicationGroupId: cc-redis-cache-cluster
			ReplicationGroupDescription: Multi-AZ Replication Group
			Engine: redis
			EngineVersion: '6.2'
			NumCacheClusters: '2'
			CacheNodeType: cache.t2.micro
			CacheParameterGroupName: default.redis6.x
			MultiAZEnabled: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_elasticache_replication_group" "redis-cache-cluster" {

	replication_group_id        = "cc-redis-cache-cluster"
	description                 = "Multi-AZ Replication Group"
	engine                      = "redis"
	engine_version              = "6.x"
	node_type                   = "cache.t2.micro"
	num_cache_clusters          = 2
	parameter_group_name        = "default.redis6.x"

	# Enable Multi-AZ for Redis Cache Replication Groups
	multi_az_enabled            = true
	automatic_failover_enabled  = true
	apply_immediately           = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.

04 Select the Redis cache cluster that you want to configure, choose Actions, and select Modify to modify the location configuration settings available for the cluster.

05 In the Location section, check the Enable setting checkbox under Multi-AZ to enable the Multi-AZ feature for the selected Amazon ElastiCache Redis cache cluster.

06 Choose Preview changes and select Yes under Apply immediately if you want to apply the changes immediately. If Yes is not selected, the changes will be processed during the next maintenance window. Choose Modify to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each Redis cache cluster that you want to configure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run modify-replication-group command (OSX/Linux/UNIX) to enable the Multi-AZ automatic failover feature for the specified Redis cache replication group. Include the --apply-immediately parameter in your command request if you want to apply the changes immediately. If --apply-immediately is not specified, the configuration changes will be processed during the next maintenance window: 

aws elasticache modify-replication-group
  --region us-east-1
  --replication-group-id cc-production-cache-cluster
  --multi-az-enabled
  --apply-immediately

02 The command output should return the information available for the configured Redis cache cluster: 

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-production-cache-cluster",
		"Description": " ",
		"GlobalReplicationGroupInfo": {},
		"Status": "available",
		"PendingModifiedValues": {},
		"MemberClusters": [
			"cc-production-cache-cluster-0001-001",
			"cc-production-cache-cluster-0001-002"
		],
		"NodeGroups": [
			{
				"NodeGroupId": "0001",
				"Status": "available",
				"Slots": "0-16383",
				"NodeGroupMembers": [
					{
						"CacheClusterId": "cc-production-cache-cluster-0001-001",
						"CacheNodeId": "0001",
						"PreferredAvailabilityZone": "us-east-1e"
					},
					{
						"CacheClusterId": "cc-production-cache-cluster-0001-002",
						"CacheNodeId": "0001",
						"PreferredAvailabilityZone": "us-east-1f"
					}
				]
			}
		],
		"AutomaticFailover": "enabled",
		"MultiAZ": "enabled",
		"ConfigurationEndpoint": {
			"Address": "cc-production-cache-cluster.abcabc.clustercfg.use1.cache.amazonaws.com",
			"Port": 6379
		},
		"SnapshotRetentionLimit": 0,
		"SnapshotWindow": "08:00-09:00",
		"ClusterEnabled": true,
		"CacheNodeType": "cache.m5.large",
		"TransitEncryptionEnabled": false,
		"AtRestEncryptionEnabled": false,
		"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-production-cache-cluster",
		"LogDeliveryConfigurations": [],
		"DataTiering": "disabled"
	}
}

03 Repeat steps no. 1 and 2 for each Redis cache cluster that you want to configure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Dec 23, 2016

Related ElastiCache rules