Sufficient Backup Retention Period

Risk Level: Medium (should be achieved)

Ensure that your Amazon ElastiCache Redis cache clusters have a sufficient backup retention period set in order to fulfill your organization's compliance requirements. The retention period represents the number of days for which Amazon ElastiCache service retains automatic Redis cluster backups before deleting them. For example, if you set the retention period to 5, a backup taken today is retained for 5 days. Before running this conformity rule by the Trend Cloud One™ – Conformity engine, you must specify your own (compliant) backup retention period in the conformity rule settings.

Reliability

Retaining Amazon ElastiCache cluster backups for a longer (optimal) period of time will allow you to handle more efficiently your data restoration process in the event of a failure.

Note 1: Setting the backup retention period to 0 (zero) days means that your cache cluster backups are never automatically backed up. We strongly recommend that you use automatic backups for your Redis cache clusters, regardless of the level of critical functionality.
Note 2: As an example, this conformity rule will use 14 days as the threshold for the sufficient backup retention period. However, you can adjust anytime the number of days (up to 35), to suit your organization's requirements.

Audit

To determine if your Redis cache clusters have a sufficient backup retention period (≥ 14 days) set for automated backups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.

04 Click on the name (link) of the Redis cache cluster that you want to examine.

05 Select the Maintenance and backups tab to access the backup settings available for the selected cache cluster.

06 In the Backup section, ensure that Automatic backups is set to Enabled, then check the Backup retention period attribute value. If the Backup retention period value is set to 0 days, automatic backups are disabled for your cluster. If the number of days configured as backup retention period is less than 14 days, or less than the custom threshold value configured in your Trend Cloud One™ – Conformity account, the selected Amazon ElastiCache Redis cache cluster does not have a sufficient backup retention period configured.

07 Repeat steps no. 4 – 6 for each Redis cache cluster provisioned within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-replication-groups command (OSX/Linux/UNIX) with custom query filters to list the identifier of each Redis cache replication group available in the selected AWS region:

aws elasticache describe-replication-groups
  --region us-east-1
  --output table
  --query 'ReplicationGroups[*].ReplicationGroupId'

02 The command output should return a table with the requested resource names:

-----------------------------------
|    DescribeReplicationGroups    |
+---------------------------------+
|  cc-production-cache-cluster    |
|  cc-web-platform-cache-cluster  |
+---------------------------------+

03 Run describe-replication-groups command (OSX/Linux/UNIX) with the name of the Redis replication group that you want to examine as the identifier parameter and custom output filters to return the number of days to retain automatic backups for the selected ElastiCache resource:

aws elasticache describe-replication-groups
  --region us-east-1
  --replication-group-id cc-production-redis-cluster
  --query 'ReplicationGroups[*].SnapshotRetentionLimit'

04 The command output should return the requested retention value (integer):

[
	3
]

Check the number of days returned by the describe-replication-groups command output. If the returned value is 0, automatic backups are disabled for your cluster (replication group). If the number returned for the backup retention period is less than 14, or less than the custom threshold value configured within your Trend Cloud One™ – Conformity account, the selected Amazon ElastiCache Redis cache cluster does not have a sufficient backup retention period configured.

05 Repeat steps no. 3 and 4 for each Redis cache cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other AWS cloud regions.

Remediation / Resolution

To update the backup configuration for your Amazon ElastiCache Redis cache clusters in order to set up a sufficient backup retention period, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.

04 Select the Redis cache cluster that you want to configure, choose Actions, and select Modify to modify the backup configuration settings available for the cluster.

05 In the Backup section, perform the following operations:

Ensure that Enable automatic backups checkbox is checked.
Ensure that the correct node is selected from the Backup node ID list.
Use the Backup retention period dropdown list to configure the backup retention period (in days) for the selected Redis cache cluster. The new value must match the retention period configured in your Trend Cloud One™ – Conformity account.
For Backup duration, choose the duration during which automated backups are initiated.

06 Choose Preview changes and select Yes under Apply immediately if you want to apply the changes immediately. If Yes is not selected, the changes will be processed during the next maintenance window. Choose Modify to apply the configuration changes.

07 Repeat steps no. 4 – 8 for each Redis cache cluster that you want to configure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run modify-replication-group command (OSX/Linux/UNIX) with the name of the Redis cache replication group that you want to configure as the identifier parameter, to update the backup retention period (in days) for the selected cache cluster, as specified in the conformity rule settings. Include the --apply-immediately parameter in your command request if you want to apply the changes immediately. If --apply-immediately is not specified, the configuration changes will be processed during the next maintenance window:

aws elasticache modify-replication-group
  --region us-east-1
  --replication-group-id cc-production-cache-cluster
  --snapshot-retention-limit 14
  --apply-immediately

02 The command output should return the information available for the configured cache cluster:

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-production-cache-cluster",
		"Status": "available",
		"PendingModifiedValues": {},
		"MemberClusters": [
			"cc-production-cache-cluster1-001",
			"cc-production-cache-cluster1-002"
		],

		...

		"MultiAZ": "enabled",
		"SnapshotRetentionLimit": 14,
		"SnapshotWindow": "05:00-06:00",
		"CacheNodeType": "cache.m5.large",
		"TransitEncryptionEnabled": true,
		"AtRestEncryptionEnabled": true,
	}
}

03 Repeat steps no. 1 and 2 for each Redis cache cluster that you want to configure, available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other AWS regions.

References

AWS Command Line Interface (CLI) Documentation
describe-replication-groups
modify-replication-group

Publication date Jun 17, 2024

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ElastiCache rules