Logo of Trend Micro

ElastiCache Redis Multi-AZ

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: EC-002

Ensure that your ElastiCache Redis Cache clusters are using a Multi-AZ deployment configuration to enhance High Availability (HA) through automatic failover to a read replica in case of a primary cache node failure.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

Enabling the Multi-AZ Automatic Failover feature for your Redis Cache clusters will improve the fault tolerance in case the read/write primary node becomes unreachable due to loss of network connectivity, loss of availability in the primary’s AZ, etc.

Note: Redis Cache Multi-AZ with automatic failover does not support T1 and T2 cache node types or cache clusters with the Redis engine version earlier than 2.8.6.
Note: Redis Cache Multi-AZ with automatic failover is only available if the cluster has at least one read replica

Audit

To determine if your ElastiCache Redis Cache clusters are using a Multi-AZ configuration, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

03 In the left navigation panel, under ElastiCache Dashboard, click Redis to access your cache clusters created with the Redis engine.

04 Choose the cache cluster that you want to examine then click on the Show Item Details icon available next to the cluster identifier (name):

Show Item Details

05 On the selected cluster description panel, verify the Multi-AZ feature status:

verify the Multi-AZ feature status

listed in the right column. If the feature current status is set to disabled, the selected Amazon ElastiCache Redis cluster is not running within a Multi-AZ Replication Group, therefore the cache cluster is not fault-tolerant.

06 Repeat step no. 4 and 5 to verify the Multi-AZ feature status for other ElastiCache Redis clusters provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-replication-groups command (OSX/Linux/UNIX) using custom query filters to list the identifiers of all ElastiCache Redis replication groups available in the selected region: 

aws elasticache describe-replication-groups
  --region us-east-1
  --output table
  --query 'ReplicationGroups[*].ReplicationGroupId'

02 The command output should return a table with the requested identifiers (names): 

---------------------------
|DescribeReplicationGroups|
+-------------------------+
|   cc-redis-cluster-01   |
|   cc-redis-cluster-02   |
|   cc-redis-cluster-03   |
+-------------------------+

03 Run again describe-replication-groups command (OSX/Linux/UNIX) using the identifier of the cluster that you want to examine and the necessary query filters to reveal the Multi-AZ Automatic Failover feature status for the selected replication group: 

aws elasticache describe-replication-groups
  --region us-east-1
  --replication-group-id cc-redis-cluster-01
  --query 'ReplicationGroups[*].AutomaticFailover'

04 The command output should return the Multi-AZ feature current status (enabled for active, disabled for inactive):

[
    "disabled"
]

If the current status is set to disabled, the Multi-AZ Automatic Failover feature is not enabled for the selected Amazon ElastiCache Redis Cache cluster, therefore the cache cluster is not having fault tolerant protection.

05 Repeat step no. 3 and 4 to verify the Multi-AZ feature status for other ElastiCache Redis clusters provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Multi-AZ Automatic Failover feature for your ElastiCache Redis Cache clusters, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

03 In the left navigation panel, under ElastiCache Dashboard, click Redis to access your clusters created with the Redis Cache engine.

04 Select the cache cluster that you want to modify (see Audit section part I to identify the right resource) then click on the Modify button from the dashboard top menu.

05 In the Modify Cluster dialog box, perform the following actions:

  1. Select Yes next to Multi-AZ: Select Yes next to Multi-AZ to enable the feature.
  2. Select Apply Immediately checkbox: Select Apply Immediately checkbox to apply the configuration changes immediately. The modifications will be applied asynchronously, as soon as possible. If Apply Immediately is not selected, the changes will be processed during the next maintenance window.
  3. Click Modify to apply the changes and enable Multi-AZ Automatic Failover. During the update process the cluster status should change from available to modifying and back to available. Once the configuration update is complete, the feature status on the description panel should change to enabled.

06 Repeat step no. 4 and 5 to enable the Multi-AZ feature for other AWS ElastiCache clusters provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-replication-group command (OSX/Linux/UNIX) to enable the Multi-AZ Automatic Failover feature for the selected ElastiCache Redis replication group: 

aws elasticache modify-replication-group
    --region us-east-1
    --replication-group-id cc-redis-cluster-01
    --automatic-failover-enabled
    --apply-immediately

02 The command output should return the metadata of the replication group selected for update. The AutomaticFailover attribute value should change to "enabling": 

{
    "ReplicationGroup": {
        "Status": "modifying",
        "Description": "CC Redis Cache cluster",
        "NodeGroups": [
            {
                "Status": "modifying",
                "NodeGroupMembers": [

                ...

                ],
                "NodeGroupId": "0001",
                "PrimaryEndpoint": {
                    "Port": 6379,
                    "Address": "cc-redis-cluster.bdaygu.ng ... "
                }
            }
        ],
        "ReplicationGroupId": "cc-redis-cluster-01",
        "SnapshotRetentionLimit": 0,
        "AutomaticFailover": "enabling",
        "SnapshotWindow": "07:00-08:00",
        "PendingModifiedValues": {}
    }
}

03 Repeat step no. 1 and 2 to enable the Multi-AZ Automatic Failover feature for other AWS ElastiCache Redis clusters provisioned in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Dec 23, 2016

Related ElastiCache rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

ElastiCache Redis Multi-AZ

Risk level: Medium