- Knowledge Base
- Amazon Web Services
- Amazon ElastiCache
- ElastiCache Engine Version
Ensure that your Amazon ElastiCache clusters are using the stable latest version of Redis/Memcached cache engine in order to adhere to AWS cloud best practices, benefit from better security by having the most recent vulnerability patches, receive the newest software features, and get the latest performance optimizations.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Security 
Reliability 
Performanceefficiency
Sustainability Upgrade your Amazon ElastiCache cache clusters to the latest Redis/Memcached engine version and unlock a range of benefits:
- New features: gain access to the newest functionalities offered by the latest engine version.
- Performance boost: experience improved speed and efficiency for your cache operations.
- Optimized memory usage: benefit from enhanced memory management techniques.
- Enhanced security: stay protected with the latest bug fixes and security patches.
Audit
To determine if your Amazon ElastiCache clusters are using the latest version of Redis/Memcached engine, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.
03 For Redis cache clusters:
- In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.
- Click on the name (link) of the Redis cache cluster that you want to examine.
- In the Cluster details section, check the Engine version attribute value to identify the Redis cache engine version installed for the selected cluster. Compare the Engine version value with latest Redis engine version supported by Amazon ElastiCache, listed on this page. If there is a newer Redis engine version supported by Amazon ElastiCache, the cache engine version installed on the selected Redis cluster should be upgraded to benefit from all the security and performance improvements that come with the latest engine version.
04 For Memcached cache clusters:
- In the navigation panel, under Resources, choose Memcached caches to access the cache clusters created with Memcached.
- Click on the name (link) of the Memcached cache cluster that you want to examine.
- In the Cluster details section, check the Engine version attribute value to identify the Memcached cache engine version installed for the selected cluster. Compare the Engine version value with latest Memcached engine version supported by Amazon ElastiCache, listed on this page. If there is a newer Memcached engine version supported by Amazon ElastiCache, the cache engine version installed on the selected Memcached cluster should be upgraded to benefit from all the security and performance improvements that come with the latest engine version.
05 Repeat steps no. 3 and 4 for each Amazon ElastiCache cluster provisioned within the current AWS region.
06 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 For Redis cache clusters:
- Run describe-cache-clusters command (OSX/Linux/UNIX) with custom output filters to list the identifier (name) of each Redis cache cluster available in the selected AWS region: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws elasticache describe-cache-clusters --region us-east-1 --output table --query 'CacheClusters[?(Engine==`redis`)].CacheClusterId'
- The command output should return a table with the requested resource names: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
------------------------------------- | DescribeCacheClusters | +-----------------------------------+ | cc-production-redis-cluster-001 | | cc-production-redis-cluster-001 | +-----------------------------------+
- Run again describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Redis cache cluster that you want to examine as the identifier parameter and custom output filters to describe the Redis cache engine version installed on the selected cache engine: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws elasticache describe-cache-clusters --region us-east-1 --cache-cluster-id cc-production-redis-cluster-001 --query 'CacheClusters[*].EngineVersion'
- The command output should return the Redis cache engine version: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[ "5.0.6" ]
Compare the engine version returned by the describe-cache-clusters command output with latest Redis engine version supported by Amazon ElastiCache, listed on this page. If there is a newer Redis engine version supported by Amazon ElastiCache, the cache engine version installed on the selected Redis cluster should be upgraded to benefit from all the security and performance improvements that come with the latest version.
02 For Memcached cache clusters:
- Run describe-cache-clusters command (OSX/Linux/UNIX) to list the name of each Memcached cache cluster available in the selected AWS cloud region: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws elasticache describe-cache-clusters --region us-east-1 --output table --query 'CacheClusters[?(Engine==`memcached`)].CacheClusterId'
- The command output should return a table with the requested cluster names: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
------------------------------------- | DescribeCacheClusters | +-----------------------------------+ | cc-production-memcache-cluster | | cc-backend-app-memcache-cluster | +-----------------------------------+
- Run describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Memcached cache cluster that you want to examine as the identifier parameter, to describe the Memcached cache engine version installed on the selected cache cluster: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws elasticache describe-cache-clusters --region us-east-1 --cache-cluster-id cc-production-memcache-cluster --query 'CacheClusters[*].EngineVersion'
- The command output should return the Memcached cache engine version: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[ "1.5.10" ]
Compare the engine version returned by the describe-cache-clusters command output with latest Memcached engine version supported by Amazon ElastiCache, listed on this page. If there is a newer Memcached engine version supported by Amazon ElastiCache, the cache engine version installed on the selected Memcached cluster should be upgraded to benefit from all the security and performance improvements that come with the latest version.
03 Repeat steps no. 1 and 2 for each Amazon ElastiCache cluster provisioned in the selected AWS region.
04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Audit process for other regions.
Remediation / Resolution
To upgrade the Redis/Memcached cache engine version for your existing Amazon ElastiCache cache clusters, perform the following operations:
Upgrading Redis/Memcached cache engine version via AWS Management Console is not currently supported.Case A: Memcached Cache Clusters
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Upgrade Memcached Cache Engine to Latest Supported Version",
"Resources": {
"MemcachedCacheCluster": {
"Type": "AWS::ElastiCache::CacheCluster",
"Properties": {
"ClusterName": "cc-memcached-cluster",
"Engine": "memcached",
"NumCacheNodes": "2",
"CacheNodeType": "cache.t2.micro",
"PreferredAvailabilityZone": "us-east-1b",
"VpcSecurityGroupIds": ["sg-0abcd1234abcd1234"],
"EngineVersion": "1.6.6"
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Upgrade Memcached Cache Engine to Latest Supported Version Resources: MemcachedCacheCluster: Type: AWS::ElastiCache::CacheCluster Properties: ClusterName: cc-memcached-cluster Engine: memcached NumCacheNodes: '2' CacheNodeType: cache.t2.micro PreferredAvailabilityZone: us-east-1b VpcSecurityGroupIds: - sg-0abcd1234abcd1234 EngineVersion: 1.6.6
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_elasticache_cluster" "memcached-cache-cluster" {
cluster_id = "cc-memcached-cluster"
engine = "memcached"
node_type = "cache.t2.micro"
num_cache_nodes = 2
availability_zone = "us-east-1b"
parameter_group_name = "default.memcached1.6"
security_group_ids = ["sg-0abcd1234abcd1234"]
# Upgrade Memcached Cache Engine to Latest Supported Version
engine_version = "1.6.6"
apply_immediately = true
}
Using AWS CLI
01 To upgrade the Memcached engine version for your Amazon ElastiCache cache cluster to the latest stable version supported by AWS, run modify-cache-cluster command (OSX/Linux/UNIX) with the name of the cache cluster that you want to upgrade as the identifier parameter. Include the --apply-immediately parameter in the command request if you want to apply the configuration change immediately. If the --apply-immediately is not specified, the configuration change will be processed during the next maintenance window:
aws elasticache modify-cache-cluster --region us-east-1 --cache-cluster-id cc-production-memcache-cluster --engine-version 1.6.22 --apply-immediately
02 The command output should return the information available for the configured Memcached cache cluster:
{
"CacheCluster": {
"CacheClusterId": "cc-production-memcache-cluster",
"ConfigurationEndpoint": {
"Address": "cc-production-memcache-cluster.abcabc.cfg.use1.cache.amazonaws.com",
"Port": 11211
},
"Engine": "memcached",
...
"AutoMinorVersionUpgrade": true,
"TransitEncryptionEnabled": false,
"AtRestEncryptionEnabled": false,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:cluster:cc-production-memcache-cluster",
"ReplicationGroupLogDeliveryEnabled": false,
"LogDeliveryConfigurations": []
}
}
03 Repeat steps no. 1 and 2 for each Memcached cache cluster that you want to upgrade, available in the selected AWS cloud region.
04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.
Case B: Redis Cache Clusters
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Upgrade Redis Cache Engine to Latest Supported Version",
"Resources": {
"RedisReplicationGroup": {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"ReplicationGroupId": "cc-redis-cache-cluster",
"ReplicationGroupDescription": "Production Replication Group",
"NumCacheClusters": "2",
"CacheNodeType": "cache.t2.micro",
"CacheParameterGroupName": "default.redis6.x",
"Engine": "redis",
"EngineVersion": "6.2"
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Upgrade Redis Cache Engine to Latest Supported Version Resources: RedisReplicationGroup: Type: AWS::ElastiCache::ReplicationGroup Properties: ReplicationGroupId: cc-redis-cache-cluster ReplicationGroupDescription: Production Replication Group NumCacheClusters: '2' CacheNodeType: cache.t2.micro CacheParameterGroupName: default.redis6.x Engine: redis EngineVersion: '6.2'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_elasticache_replication_group" "redis-cache-cluster" {
replication_group_id = "cc-redis-cache-cluster"
description = "Production Replication Group"
engine = "redis"
node_type = "cache.t2.micro"
num_cache_clusters = 2
parameter_group_name = "default.redis6.x"
# Upgrade Redis Cache Engine to Latest Supported Version
engine_version = "6.2"
apply_immediately = true
}
Using AWS CLI
01 To upgrade the Redis engine version for your Amazon ElastiCache cache cluster to the latest stable version supported by AWS, run modify-replication-group command (OSX/Linux/UNIX) with the name of the replication group that you want to upgrade as the identifier parameter. Include the --apply-immediately parameter in the command request if you want to apply the configuration change immediately. If the --apply-immediately is not specified, the configuration change will be processed during the next maintenance window:
aws elasticache modify-replication-group --region us-east-1 --replication-group-id cc-production-redis-cluster --engine-version 7.1 --apply-immediately
02 The command output should return the information available for the configured Redis replication group:
{
"ReplicationGroup": {
"ReplicationGroupId": "cc-production-redis-cluster",
"Status": "available",
"PendingModifiedValues": {},
"MemberClusters": [
"cc-production-redis-cluster-001",
"cc-production-redis-cluster-002"
],
...
"MultiAZ": "enabled",
"SnapshotRetentionLimit": 14,
"SnapshotWindow": "05:00-06:00",
"CacheNodeType": "cache.m5.large",
"TransitEncryptionEnabled": true,
"AtRestEncryptionEnabled": true,
}
}
03 Repeat steps no. 1 and 2 for each Redis cache cluster that you want to configure, available in the selected AWS cloud region.
04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.
References
- AWS Documentation
- Amazon ElastiCache FAQs
- Engine versions and upgrading
- Supported ElastiCache for Memcached versions
- Engine versions and upgrading
- Supported ElastiCache for Redis versions
- AWS Command Line Interface (CLI) Documentation
- describe-cache-clusters
- modify-cache-cluster
- modify-replication-group
- CloudFormation Documentation
- Amazon ElastiCache resource type reference
- Terraform Documentation
- AWS Provider