Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Nodes Counts

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC-010

Ensure that the number of ElastiCache cluster cache nodes provisioned in your AWS account has not reached the limit quota established by your organization for the ElastiCache workload deployed. By default, Cloud Conformity sets a threshold value of 5 for the maximum number of provisioned cluster nodes but you also have the option to adjust this threshold based on your requirements. Once you define your own threshold for the maximum number of ElastiCache cluster nodes that you need to run across all AWS regions, Cloud Conformity engine will start to continuously scan your account for ElastiCache nodes and when the number of cluster nodes reach the specified count (threshold) you will get notified via communication channels configured within your Cloud Conformity account. If the ElastiCache limit quota defined for your AWS account is reached, you can raise an AWS support case to request limiting the number of provisioned ElastiCache nodes.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Monitoring and setting limits for the maximum number of ElastiCache cluster nodes provisioned within your AWS account will help you to better manage your ElastiCache compute resources and prevent unexpected charges on your AWS bill. For example, users within your organization can create more AWS ElastiCache clusters than the number established in the company policy, exceeding the monthly budget allocated for cloud computing resources. Also, if your AWS account is compromised and the attacker is able to create large ElastiCache clusters for malicious purposes, these can drive up fast your AWS ElastiCache costs.

Note: The threshold for the maximum number of ElastiCache nodes per AWS account set for this conformity rule is 5 (default value).


Audit

To determine the number of ElastiCache cluster nodes provisioned within your AWS account, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

03 In the left navigation panel, under ElastiCache Dashboard, click Memcached to access the cache clusters created with the Memcached in-memory cache engine or Redis to access the clusters created with the Redis engine.

04 Check the total number of Memcached / Redis cluster cache nodes available in the current AWS region, listed in the Nodes column:

Nodes List Nodes List

05 Change the AWS region from the navigation bar and repeat step no. 3 and 4 for all other regions. If the total number of available ElastiCache cluster nodes provisioned in your AWS account is greater than 5, the recommended threshold was exceeded, therefore you must take action and create an AWS support case to limit the number of cache nodes based on your requirements (see Remediation/Resolution section).

Using AWS CLI

01 Run describe-cache-clusters command (OSX/Linux/UNIX) using custom query filters to list the number of nodes provisioned for each ElastiCache cluster available in the selected AWS region:

				aws elasticache describe-cache-clusters
				--region us-east-1
				--query 'CacheClusters[*].[Engine,NumCacheNodes]'
				

02 The command output should return an array that contains pairs of metadata representing the cache engine type (i.e. Memcached, Redis) and the number of nodes for each cache cluster available in the selected region:

				[
				[
				"memcached",
				3
				],
				[
				"redis",
				8
				],
				[
				"redis",
				8
				]
				]
				

03 Repeat step no. 1 and 2 to execute describe-cache-clusters command for all other AWS regions. Each command output should return the total number of nodes for each cluster, available in the selected region. If the total number of ElastiCache nodes returned is greater than 5 (combined), the defined limit threshold was exceeded, therefore you must take action and raise an AWS support case to limit the number of cache nodes that can be created in your account.

Remediation / Resolution

To create an AWS support case in order to request limiting the number of provisioned ElastiCache cluster nodes in your AWS account based on your requirements, perform the following actions:

Note: Requesting a limit for the number of cache nodes per region using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 In the left navigation panel, choose Create Case to create a new AWS support case.

04 On the Create Case page, perform the following:

  1. Under Regarding, select Service Limit Increase.
  2. Choose ElastiCache Nodes from the Limit Type dropdown list.
  3. In the Request 1 section, perform the following actions:
    • From the Region dropdown list, select the AWS region where you need to limit the creation of ElastiCache cluster nodes.
    • Select ElastiCache Node Limit from the Limit dropdown list.
    • In the New limit value box, enter the limit value to request for the number of provisioned cache nodes.
  4. In the Use Case Description textbox, enter a brief description where you explain the limit request so AWS support can evaluate promptly your case.
  5. From Supported Language, choose your preferred correspondence language for the current case.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request to Amazon Web Services. A customer support representative will contact you shortly.

References

Publication date Sep 23, 2017

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

ElastiCache Nodes Counts

Risk Level: Medium