Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Reserved Cache Node Recent Purchases

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC-008

Ensure that all the active Amazon ElastiCache Reserved Node (RN) purchases are reviewed every 7 days to make sure that no unwanted RN purchase has been placed recently.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

By checking your Amazon ElastiCache Reserved Node purchases on a regular basis you can detect and cancel any unwanted purchases placed within your AWS cloud account and avoid unexpected charges on your AWS bill.

You can change the default threshold value (7 days) for the review time frame in the conformity rule settings, in your Trend Cloud One™ – Conformity account.

Audit

To identify the ElastiCache Reserved Node purchases placed recently within your AWS cloud account for review purposes, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Reserved nodes.

04 Click on the ID (link) of the ElastiCache Reserved Node that you want to examine.

05 In the Reservation details section, check the Start date attribute value available for the selected reservation. If the Start date value shows a Reserved Node (RN) purchase request placed in the last 7 days and you are unaware of this purchase, check your Amazon CloudTrail trail logs or contact AWS Support Center to resolve the purchase issue for the unwanted Amazon ElastiCache reservation.

06 Repeat steps no. 4 and 5 for each ElastiCache Reserved Node (RN) available within the selected AWS region.

07 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-reserved-cache-nodes command (OSX/Linux/UNIX) with custom query filters to list the identifier (ID) of each purchased ElastiCache Reserved Node available in the selected AWS region: 

aws elasticache describe-reserved-cache-nodes
  --region us-east-1
  --output table
  --query 'ReservedCacheNodes[*].ReservedCacheNodeId'

02 The command output should return a table with the requested Reserved Node (RN) IDs: 

------------------------------
| DescribeReservedCacheNodes |
+----------------------------+
| cc-production-redis-rn-001 |
| cc-production-redis-rn-002 |
+----------------------------+

03 Run describe-reserved-cache-nodes command (OSX/Linux/UNIX) with the ID of the ElastiCache Reserved Node (RN) that you want to examine as the identifier parameter and custom output filters to describe the date on which the Reserved Node purchase request was placed: 

aws elasticache describe-reserved-cache-nodes
  --region us-east-1
  --reserved-cache-node-id cc-production-redis-rn-001
  --query 'ReservedCacheNodes[*].StartTime'

04 The command output should return the date when the specified reservation started: 

[
	"2024-05-23T09:24:23.133000+00:00"
]

If the date returned by the describe-reserved-cache-nodes command output indicates a recent ElastiCache Reserved Node purchase request (i.e. a request placed in the past 7 days), and you are unaware of this purchase, check your Amazon CloudTrail trail logs or contact AWS Support Center to resolve the purchase issue for the unwanted Amazon ElastiCache reservation.

05 Repeat steps no. 3 and 4 to check the purchase request date for each ElastiCache Reserved Node available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other AWS regions.

Remediation / Resolution

Case A: Check the Amazon CloudTrail trail logs from the date when the ElastiCache Reserved Node purchase request was placed to determine the request context and origin. To find and analyze the required Amazon ElastiCache API logging data, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console available at https://console.aws.amazon.com/cloudtrail/.

03 In the main navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to examine, available in the same AWS region with the Reserved Node purchase that you want to analyze.

05 In the General details section, click on the Trail log location attribute value (link) to access the S3 folder with your CloudTrail trail log data.

06 Use the following date/time format to access the right S3 subfolder for analysis: <CloudTrail/<aws-region>/<year>/<month>/<day>.

07 Based on the log file name identify the CloudTrail log file that contains the API activity recorded on the same date as the unwanted Reserved Node purchase request, select the log file, and choose Download to download the required log file.

08 Open the log file in your web browser and search for the following attributes to identify the necessary log record:

  1. "eventSource":"elasticache.amazonaws.com" – for the name of the AWS service used to place the ElastiCache Reserved Node (RN) purchase request.
  2. "eventName":"PurchaseReservedCacheNodesOffering" – for the name of the AWS API action/command used to place the RN purchase request.
  3. "eventTime":"2024-05-20T11:25:00.112Z" – for the time when the RN purchase request was placed.

09 Identify the right CloudTrail log record based on the attributes listed at the previous step and check the "userIdentity" attribute value to determine the origin and context for the unwanted ElastiCache Reserved Node purchase request.

10 Repeat steps no. 6 - 9 for each unwanted ElastiCache Reserved Node purchase request placed in the selected AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account: 

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names: 

[
	"cc-main-cloud-trail",
	"cc-data-events-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) with the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom output filters to describe the name of the S3 bucket configured to store logs for the selected trail: 

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-main-cloud-trail
  --query 'trailList[*].S3BucketName'

04 The command output should return the name of the associated bucket: 

[
	"cc-main-cloudtrail-logs"
]

05 Run list-objects command (OSX/Linux/UNIX) to list the name of each S3 object available in the selected Amazon S3 bucket: 

aws s3api list-objects
  --region us-east-1
  --bucket cc-main-cloud-trail
  --query 'Contents[].Key'

06 The command output should describe the name of each CloudTrail log file available in the selected S3 bucket: 

[
	"AWSLogs/123456789012/CloudTrail/us-east-1/2024/05/24/123456789012_CloudTrail_us-east-1_20210320T1425Z_abcd1234abcd1234.json.gz",
	"AWSLogs/123456789012/CloudTrail/us-east-1/2024/05/24/123456789012_CloudTrail_us-east-1_20210320T1425Z_1234abcd1234abcd.json.gz",
	"AWSLogs/123456789012/CloudTrail/us-east-1/2024/05/24/123456789012_CloudTrail_us-east-1_20210320T1425Z_abcd1234abcd1234.json.gz"
]

07 Run get-object command (OSX/Linux/UNIX) to obtain and download the right CloudTrail log file from the target S3 bucket: 

aws s3api get-object
  --region us-east-1
  --bucket cc-main-cloud-trail
  --key AWSLogs/123456789012/CloudTrail/us-east-1/2024/05/24/123456789012_CloudTrail_us-east-1_20210320T1425Z_abcd1234abcd1234.json.gz

08 The command output should return the GET request metadata, e.g.: 

{
	"AcceptRanges": "bytes",
	"ContentType": "application/json",
	"LastModified": "Fri, 24 May 2024 11:30:39 GMT",
	"ContentLength": 5980,
	"ContentEncoding": "gzip",
	"ETag": "\"abcd1234abcd1234abcd1234abcd1234\"",
	"ServerSideEncryption": "AES256",
	"Metadata": {}
}

09 Open the log file downloaded at the previous steps in your preferred text editor and search for the following attributes in order to identify the necessary log record:

  1. "eventSource":"elasticache.amazonaws.com" – for the name of the AWS service used to place the ElastiCache Reserved Node (RN) purchase request.
  2. "eventName":"PurchaseReservedCacheNodesOffering" – for the name of the AWS API action/command used to place the RN purchase request.
  3. "eventTime":"2021-03-20T10:11:30.112Z" – for the time when the RN purchase request was placed.

10 Identify the right CloudTrail log record based on the attributes listed at the previous step and check the "userIdentity" attribute value to determine the origin and context for the unwanted ElastiCache Reserved Node purchase request.

11 Repeat steps no. 7 – 10 for each unwanted ElastiCache Reserved Node purchase request placed in the selected AWS region.

12 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

Case B: To mitigate unwanted ElastiCache Reserved Node purchase requests you can contact AWS Support and ask for Reserved Node purchase cancellation. To create the necessary case using the AWS Support Center, perform the following actions:

Creating a support case to request ElastiCache Reserved Node purchase cancellation using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Support Center console available at https://console.aws.amazon.com/support/.

03 In the main navigation panel, choose Your support cases.

04 Choose Create case and perform the following operations:

  1. For How can we help? select Account and billing.
  2. For Service select Account.
  3. For Category select Other Account Issues.
  4. Choose Next step: Additional information to continue the process.
  5. Provide the request subject in the Subject box, e.g. "Cancel unwanted Amazon ElastiCache Reserved Node purchase(s)".
  6. In the Description textbox, provide a concise description where you can specify the reason why you want to cancel the recent ElastiCache Reserved Node purchase and explain how and when this unwanted purchase request was placed. This will help the AWS support team to promptly evaluate your request.
  7. Choose Next step: Solve now or contact us to continue.
  8. Choose the Contact us tab and perform the following actions:
    1. For Preferred contact language, choose your preferred correspondence language for the current support case.
    2. Select a preferred contact method that AWS support team can use to respond to your request.
  9. Choose Submit to send your request to Amazon Web Services (AWS). A customer support representative will contact you shortly.

References

Publication date Mar 14, 2017

Related ElastiCache rules