Enable Event Notifications

Risk Level: Medium (should be achieved)

Ensure that your Amazon ElastiCache clusters are configured to send event notifications via Amazon Simple Notification Service (SNS) in order to monitor your cache clusters for important events and quickly mitigate any issues with your cache system.

This rule can help you work with the AWS Well-Architected Framework.

Reliability

Operational
excellence

When significant events happen for a cache cluster, Amazon ElastiCache sends a notification to an Amazon SNS topic that you configure. Examples of important events that can provide valuable insight into your cache system activity include a failure to add a node, success in adding a cluster node, and the modification of an associated security group. By monitoring for Amazon ElastiCache key events, you can determine the current state of your cache clusters and, depending upon the event, be able to take corrective action.

Audit

To determine if event notifications via Simple Notification Service (SNS) are enabled for your Amazon ElastiCache cache clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 For Redis cache clusters:

In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.
Click on the name (link) of the Redis cache cluster that you want to examine.
Select the Maintenance and backups tab and check the Notification ARN attribute value, in the Maintenance section, to identify the Amazon Resource Name (ARN) of the SNS topic configured to send event notifications for the selected cluster. If Notification ARN is set to Disabled, there is no SNS topic configured for your cluster, therefore, the event notifications via Amazon SNS are not enabled for the selected Redis cache cluster.

04 For Memcached cache clusters:

In the navigation panel, under Resources, choose Memcached caches to access the cache clusters created with Memcached.
Click on the name (link) of the Memcached cache cluster that you want to examine.
Select the Maintenance tab and check the Notification ARN attribute value, in the Maintenance section, to identify the Amazon Resource Name (ARN) of the SNS topic configured to send event notifications for the selected cluster. If Notification ARN is set to Disabled, there is no SNS topic configured for your cluster, therefore, the event notifications via Amazon SNS are not enabled for the selected Memcached cache cluster.

05 Repeat steps no. 4 and 5 for each Amazon ElastiCache cluster provisioned within the current AWS region.

06 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-cache-clusters command (OSX/Linux/UNIX) to list the identifier (name) of each Amazon ElastiCache cluster available in the selected AWS cloud region:

aws elasticache describe-cache-clusters
  --region us-east-1
  --output table
  --query 'CacheClusters[*].CacheClusterId'

02 The command output should return a table with the requested cluster names:

-------------------------------------
|       DescribeCacheClusters       |
+-----------------------------------+
|  cc-production-memcache-cluster   |
|  cc-production-redis-cluster-001  |
|  cc-production-redis-cluster-002  |
+-----------------------------------+

03 Run describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Amazon ElastiCache cluster that you want to examine as the identifier parameter and custom output filters to describe the Amazon Resource Name (ARN) of the SNS topic configured to send event notifications for the selected cache cluster:

aws elasticache describe-cache-clusters
  --region us-east-1
  --cache-cluster-id cc-production-memcache-cluster
  --query 'CacheClusters[*].NotificationConfiguration.TopicArn'

04 The command output should return the requested Amazon Resource Name (ARN):

[]

If the describe-cache-clusters command output returns an empty array (i.e. []), as shown in the output example above, there is not SNS topic configured for your cluster, therefore, the event notifications via Amazon SNS are not enabled for the selected ElastiCache cache cluster.

05 Repeat steps no. 3 and 4 for each Amazon ElastiCache cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To configure your Amazon ElastiCache cache clusters to send alert notifications for important cluster events using Amazon SNS, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console available at https://console.aws.amazon.com/sns/.

03 Select Topics from the main navigation panel and choose Create topic to create a new Amazon SNS topic.

04 On the Create topic setup page, choose Standard for the topic type, and provide a unique name for the new topic in the Name box. Configure the optional settings based on your application requirements, then choose Create topic to create your new Amazon SNS topic.

05 For the new Amazon SNS topic, select the Subscriptions tab, and choose Create subscription to add subscriptions to your new SNS topic.

06 On the Create subscription setup page, select Email from the Protocol dropdown list and use the Endpoint configuration box to specify the email address that can receive notifications about important ElastiCache cluster events. Choose Create Subscription to assign the new subscription to your Amazon SNS topic.

07 Use your preferred email client to open the message from AWS Notifications, then click on the Confirm subscription link to confirm your subscription.

08 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

09 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis or Memcached caches to access the cache clusters created with Memcached.

10 Select the Redis/Memcached cache cluster that you want to configure, choose Actions, and select Modify to configure the ElastiCache event notifications settings for the selected cluster.

11 In the Maintenance section, select the ARN of your new SNS topic from the Topic for Amazon SNS notification dropdown list to enable event notifications via Simple Notification Service (SNS) for the selected cache cluster.

12 Choose Preview changes and select Yes under Apply immediately if you want to apply the changes immediately. If Yes is not selected, the changes will be processed during the next maintenance window. Choose Modify to apply the configuration changes.

13 Repeat steps no. 10 – 12 for each ElastiCache cache cluster that you want to configure, available within the current AWS region.

14 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create an Amazon SNS topic for sending alert notifications when important ElastiCache cluster events occur:

aws sns create-topic
  --region us-east-1
  --name cc-prod-cache-cluster-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created SNS topic:

{
	"TopicArn": "arn:aws:sns:us-east-1:123456789012:cc-prod-cache-cluster-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the Amazon SNS topic created at the previous step using one or more email addresses as subscription endpoints:

aws sns subscribe
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-prod-cache-cluster-topic
  --protocol email
  --notification-endpoint alert@trendmicro.com
  --return-subscription-arn

04 The command output should return the ARN of the new Amazon SNS subscription:

{
	"SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:cc-prod-cache-cluster-topic:abcdabcd-1234-abcd-1234-abcd1234abcd"
}

05 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the new SNS subscription by validating the token sent to the subscription endpoint (in this case, your email address) specified at the previous step (the command should not produce an output):

aws sns confirm-subscription
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-prod-cache-cluster-topic
  --token 6577392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bca58d3c217426bcafa9c501a2cac5646456gf1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded64f6hc43aec62d83ef5f49109da733977

06 For Redis cache clusters:

Run describe-replication-groups command (OSX/Linux/UNIX) to list the identifier (name) of each Redis replication group available in the selected AWS cloud region:
```
aws elasticache describe-replication-groups
  --region us-east-1
  --output table
  --query 'ReplicationGroups[*].ReplicationGroupId'
```

The command output should return a table with the requested resource names:

----------------------------------
|   DescribeReplicationGroups    |
+--------------------------------+
|  cc-production-redis-cluster   |
|  cc-webapp-redis-cache-cluster |
+--------------------------------+

To enable cluster event notifications for Redis cache clusters, run modify-replication-groupcommand (OSX/Linux/UNIX) with the name of the Redis replication group that you want to configure as the identifier parameter. Include the --apply-immediately parameter in your command request if you want to apply the change immediately. If --apply-immediately is not specified, the configuration change will be processed during the next maintenance window:
```
aws elasticache modify-replication-group
  --region us-east-1
  --replication-group-id cc-production-redis-cluster
  --notification-topic-arn arn:aws:sns:us-east-1:123456789012:cc-prod-cache-cluster-topic
  --notification-topic-status active
  --apply-immediately
```

The command output should return the information available for the configured Redis cache replication group:

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-production-redis-cluster",
		"GlobalReplicationGroupInfo": {},
		"Status": "available",
		"PendingModifiedValues": {},
		"MemberClusters": [
			"cc-production-redis-cluster-001",
			"cc-production-redis-cluster-002"
		],

		...

		"AutomaticFailover": "disabled",
		"MultiAZ": "disabled",
		"SnapshotWindow": "05:30-06:30",
		"CacheNodeType": "cache.m5.large",
		"TransitEncryptionEnabled": false,
		"AtRestEncryptionEnabled": false,
		"LogDeliveryConfigurations": [],
		"DataTiering": "disabled"
	}
}

07 For Memcached cache clusters:

To enable event notifications for Memcached cache clusters, run modify-cache-clustercommand (OSX/Linux/UNIX) with the name of the cache cluster that you want to configure as the identifier parameter. Include the --apply-immediately parameter in your command request if you want to apply the change immediately. If --apply-immediately is not specified, the configuration change will be processed during the next maintenance window:
```
aws elasticache modify-cache-cluster
  --region us-east-1
  --cache-cluster-id cc-production-memcache-cluster
  --notification-topic-arn arn:aws:sns:us-east-1:123456789012:cc-prod-cache-cluster-topic
  --notification-topic-status active
  --apply-immediately
```

The command output should return the information available for the reconfigured Memcached cache cluster:

{
	"CacheCluster": {
		"Engine": "memcached",
		"CacheParameterGroup": {
			"CacheParameterGroupName": "default.memcached1.6",
			"ParameterApplyStatus": "in-sync"
		},
		"CacheClusterId": "cc-production-memcache-cluster",
		"PreferredAvailabilityZone": "us-east-1a",
		"ConfigurationEndpoint": {
			"Port": 11211,
			"Address": "cc-production-memcache-cluster.abc.cache.amazonaws.com"
		},

		...

		"AutoMinorVersionUpgrade": true,
		"CacheClusterStatus": "modifying",
		"NumCacheNodes": 2,
		"TransitEncryptionEnabled": false,
		"CacheSubnetGroupName": "default",
		"EngineVersion": "1.6.22",
		"PendingModifiedValues": {
			"EngineVersion": "1.6.22"
		},
		"PreferredMaintenanceWindow": "sun:07:00-sun:08:00",
		"CacheNodeType": "cache.r4.large"
	}
}

08 Repeat steps no. 6 and 7 for each ElastiCache cache cluster that you want to configure, available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the Remediation process for other regions.

References

AWS Documentation
Managing ElastiCache Amazon SNS notifications
Viewing ElastiCache events
Event Notifications and Amazon SNS

AWS Command Line Interface (CLI) Documentation
describe-cache-clusters
modify-cache-cluster
describe-replication-groups
modify-replication-group
create-topic
subscribe
confirm-subscription

Publication date Jun 14, 2024

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ElastiCache rules