ElastiCache Engine Version

Risk Level: Medium (should be achieved)

Rule ID: EC-013

Ensure that your Amazon ElastiCache clusters are using the stable latest version of Redis/Memcached cache engine in order to adhere to AWS cloud best practices, benefit from better security by having the most recent vulnerability patches, receive the latest Redis and Memcached software features, and get the latest performance optimizations.

This rule can help you with the following compliance standards:

PCI
APRA
MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Reliability

Performance
efficiency

Sustainability

When your Amazon ElastiCache clusters are configured with the latest version of Redis/Memcached cache engine, you can benefit from new features and enhancements, better performance, better memory management, bug fixes and security patches. For example, upgrading your Redis cache clusters version to 3.2.6 will get you all the improvements that come with the Redis engine version 3 (data partitioning, geospatial indexing, online cluster resizing, replica scaling, etc) plus the ones added by AWS such as support for newer cache node types, in-transit and at-rest encryption, and support for HIPAA compliance. For Memcached cache clusters, upgrading the engine version to 1.4.34 will add several bug fixes, systemd service hardening, improved support for large items over 1MB and the ability to dynamically increase the amount of memory available to the engine without having to restart the cache cluster.

Audit

Case A: To determine if your Memcached cache clusters are using the latest version of Memcached engine, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Memcached clusters to access the cache clusters created with the Memcached in-memory cache engine.

04 Click on the name (link) of the Memcached cache cluster that you want to examine.

05 In the Cluster details section, check the Engine version attribute value to determine the Memcached version installed on the selected cache cluster.

06 Use this URL to check the latest stable version of Memcached engine supported by the Amazon ElastiCache service.

07 Compare the latest Memcached cache engine version supported by ElastiCache with the version installed on your cache cluster, listed as value for the Engine version attribute value. If there is a newer Memcached engine version released and supported by Amazon ElastiCache, the cache engine version installed on the selected Memcached cache cluster should be upgraded to benefit from all the security and performance improvements that come with the latest version of the software.

08 Repeat steps no. 4 – 7 for each Memcached cache cluster available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-cache-clusters command (OSX/Linux/UNIX) with custom query filters to list the identifier (name) of each Memcached cache cluster available in the selected region:

aws elasticache describe-cache-clusters
  --region us-east-1
  --query 'CacheClusters[?(Engine==`memcached`)].CacheClusterId'

02 The command output should return an array with the requested cluster names:

[
    "cc-memcached-cluster",
    "cc-web-cache-cluster"
]

03 Run describe-cache-clusters command (OSX/Linux/UNIX) using the name of the Memcached cache cluster that you want to examine as the identifier parameter and custom query filters to describe the Memcached engine version installed on the selected cache cluster:

aws elasticache describe-cache-clusters
  --region us-east-1
  --cache-cluster-id cc-memcached-cluster
  --query 'CacheClusters[*].EngineVersion'

04 The command output should return the Memcached version installed on the cluster:

[
    "1.5.10"
]

05 Use this URL to check the latest stable version of Memcached engine currently supported by the Amazon ElastiCache service.

06 Compare the latest Memcached cache engine version supported by ElastiCache with the version installed on your cache cluster, returned at step no. 4. If there is a newer Memcached engine version released and supported by Amazon ElastiCache, the cache engine version installed on the selected Memcached cache cluster should be upgraded to benefit from all the security and performance improvements that come with the latest version of the software.

07 Repeat steps no. 3 – 6 for each Memcached cache cluster provisioned in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Audit process for other regions.

Case B: To determine if your Redis cache clusters are using the latest version of Redis engine, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, choose Redis clusters to access the cache clusters created with the Redis cache engine.

04 Click on the name (link) of the Redis cache cluster that you want to examine.

05 In the Cluster details section, check the Engine version attribute value to determine the Redis version installed on the selected cache cluster.

06 Use this URL to check the latest stable version of Redis cache engine supported by the Amazon ElastiCache service.

07 Compare the latest Redis cache engine version supported by ElastiCache with the version installed on your cache cluster, listed as value for the Engine version attribute value. If there is a newer Redis engine version released and supported by Amazon ElastiCache, the cache engine version installed on the selected Redis cache cluster should be upgraded to benefit from all the security and performance improvements that come with the latest version of the software.

08 Repeat steps no. 4 – 6 for each Redis cache cluster available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-cache-clusters command (OSX/Linux/UNIX) with custom query filters to list the identifier of each Redis cache cluster provisioned in the selected region:

aws elasticache describe-cache-clusters
  --region us-east-1
  --query 'CacheClusters[?(Engine==`redis`)].CacheClusterId'

02 The command output should return an array with the requested cluster names:

[
    "cc-redis-cache-cluster-001",
    "cc-redis-cache-cluster-002"
]

03 Run describe-cache-clusters command (OSX/Linux/UNIX) using the name of the Redis cache cluster that you want to examine as the identifier parameter and custom query filters to describe the Redis engine version installed on the selected cache cluster:

aws elasticache describe-cache-clusters
  --region us-east-1
  --cache-cluster-id cc-redis-cache-cluster-001
  --query 'CacheClusters[*].EngineVersion'

04 The command output should return the Redis version installed on the cluster:

[
    "5.0.6"
]

05 Use this URL to check the latest stable version of Redis engine currently supported by the Amazon ElastiCache service.

06 Compare the latest Redis cache engine version supported by ElastiCache with the version installed on your cache cluster, returned at step no. 4. If there is a newer Redis engine version released and supported by Amazon ElastiCache, the cache engine version installed on the selected Redis cache cluster should be upgraded to benefit from all the security and performance improvements that come with the latest version of the software.

07 Repeat steps no. 3 – 6 for each Redis cache cluster provisioned in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Audit process for other regions.

Remediation / Resolution

Case A: To upgrade the Memcached engine version for your Amazon ElastiCache Memcached cache clusters, perform the following operations:

Note: Upgrading Memcached cache engine version via AWS Management Console is not currently supported.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Upgrade Memcached Cache Engine to Latest Supported Version",
    "Resources": {
        "MemcachedCacheCluster": {
            "Type": "AWS::ElastiCache::CacheCluster",
            "Properties": {
                "ClusterName": "cc-memcached-cluster",
                "Engine": "memcached",
                "NumCacheNodes": "2",
                "CacheNodeType": "cache.t2.micro",
                "PreferredAvailabilityZone": "us-east-1b",
                "VpcSecurityGroupIds": ["sg-0abcd1234abcd1234"],
                "EngineVersion": "1.6.6"
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Upgrade Memcached Cache Engine to Latest Supported Version
Resources:
  MemcachedCacheCluster:
    Type: AWS::ElastiCache::CacheCluster
    Properties:
      ClusterName: cc-memcached-cluster
      Engine: memcached
      NumCacheNodes: '2'
      CacheNodeType: cache.t2.micro
      PreferredAvailabilityZone: us-east-1b
      VpcSecurityGroupIds:
        - sg-0abcd1234abcd1234
      EngineVersion: 1.6.6

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_elasticache_cluster" "memcached-cache-cluster" {

  cluster_id           = "cc-memcached-cluster"
  engine               = "memcached"
  node_type            = "cache.t2.micro"
  num_cache_nodes      = 2
  availability_zone    = "us-east-1b"
  parameter_group_name = "default.memcached1.6"
  security_group_ids   = ["sg-0abcd1234abcd1234"]

  # Upgrade Memcached Cache Engine to Latest Supported Version
  engine_version       = "1.6.6"
  apply_immediately    = true

}

Using AWS CLI

01 To upgrade the cache engine version for your Memcached cache cluster to the latest stable version supported by AWS, run modify-cache-cluster command (OSX/Linux/UNIX) using the name of the cache cluster that you want to reconfigure as the identifier parameter. Include the --apply-immediately parameter in the command request if you want to apply the engine version change immediately. If the --apply-immediately is not specified, the change will be processed during the next maintenance window:

aws elasticache modify-cache-cluster
  --region us-east-1
  --cache-cluster-id cc-memcached-cluster
  --engine-version 1.6.6
  --apply-immediately

02 The command output should return the configuration information available for the modified Memcached cache cluster:

{
    "CacheCluster": {
        "CacheClusterId": "cc-memcached-cluster",
        "ConfigurationEndpoint": {
            "Address": "cc-memcached-cluster.abcabc.cfg.use1.cache.amazonaws.com",
            "Port": 11211
        },
        "ClientDownloadLandingPage": "https://console.aws.amazon.com/elasticache/home#client-download:",
        "CacheNodeType": "cache.t2.micro",
        "Engine": "memcached",
        "EngineVersion": "1.5.10",
        "CacheClusterStatus": "modifying",
        "NumCacheNodes": 1,
        "PreferredAvailabilityZone": "us-east-1a",
        "CacheClusterCreateTime": "2022-05-13T17:08:43.554000+00:00",
        "PreferredMaintenanceWindow": "sun:06:00-sun:07:00",
        "PendingModifiedValues": {
            "EngineVersion": "1.6.6"
        },
        "CacheSecurityGroups": [],
        "CacheParameterGroup": {
            "CacheParameterGroupName": "default.memcached1.5",
            "ParameterApplyStatus": "in-sync",
            "CacheNodeIdsToReboot": []
        },
        "CacheSubnetGroupName": "cc-redis-cluster-sg",
        "AutoMinorVersionUpgrade": true,
        "TransitEncryptionEnabled": false,
        "AtRestEncryptionEnabled": false,
        "ARN": "arn:aws:elasticache:us-east-1:123456789012:cluster:cc-memcached-cluster",
        "ReplicationGroupLogDeliveryEnabled": false,
        "LogDeliveryConfigurations": []
    }
}

03 Repeat steps no. 1 and 2 for each Memcached cache cluster that you want to reconfigure, available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

Case B: To upgrade the Redis cache engine version for your Amazon ElastiCache Redis cache clusters, perform the following actions:

Note: Upgrading Redis cache engine version via AWS Management Console is not currently supported.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Upgrade Redis Cache Engine to Latest Supported Version",
    "Resources": {
        "RedisReplicationGroup": {
            "Type": "AWS::ElastiCache::ReplicationGroup",
            "Properties": {
                "ReplicationGroupId": "cc-redis-cache-cluster",
                "ReplicationGroupDescription": "Production Replication Group",
                "NumCacheClusters": "2",
                "CacheNodeType": "cache.t2.micro",
                "CacheParameterGroupName": "default.redis6.x",
                "Engine": "redis",
                "EngineVersion": "6.2"
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Upgrade Redis Cache Engine to Latest Supported Version
Resources:
  RedisReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: cc-redis-cache-cluster
      ReplicationGroupDescription: Production Replication Group
      NumCacheClusters: '2'
      CacheNodeType: cache.t2.micro
      CacheParameterGroupName: default.redis6.x
      Engine: redis
      EngineVersion: '6.2'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_elasticache_replication_group" "redis-cache-cluster" {

  replication_group_id        = "cc-redis-cache-cluster"
  description                 = "Production Replication Group"
  engine                      = "redis"
  node_type                   = "cache.t2.micro"
  num_cache_clusters          = 2
  parameter_group_name        = "default.redis6.x"

  # Upgrade Redis Cache Engine to Latest Supported Version
  engine_version              = "6.2"
  apply_immediately           = true

}

Using AWS CLI

01 To upgrade the cache engine version for your Redis cache cluster to the latest stable version supported by AWS, run modify-replication-group command (OSX/Linux/UNIX) using the ID of the cache cluster that you want to reconfigure as the identifier parameter. Include the --apply-immediately parameter in the command request if you want to apply the engine version change immediately. If the --apply-immediately is not specified, the change will be processed during the next maintenance window:

aws elasticache modify-replication-group
  --region us-east-1
  --replication-group-id cc-redis-cache-cluster
  --engine-version 6.2
  --apply-immediately

02 The command output should return the configuration information available for the modified Redis cache cluster:

{
    "ReplicationGroup": {
        "ReplicationGroupId": "cc-redis-cache-cluster",
        "Description": " ",
        "GlobalReplicationGroupInfo": {},
        "Status": "modifying",
        "PendingModifiedValues": {},
        "MemberClusters": [
            "cc-redis-cache-cluster-001",
            "cc-redis-cache-cluster-002"
        ],
        "NodeGroups": [
            {
                "NodeGroupId": "0001",
                "Status": "modifying",
                "PrimaryEndpoint": {
                    "Address": "cc-redis-cache-cluster1.abcabc.ng.0001.use1.cache.amazonaws.com",
                    "Port": 6379
                },
                "ReaderEndpoint": {
                    "Address": "cc-redis-cache-cluster1-ro.abcabc.ng.0001.use1.cache.amazonaws.com",
                    "Port": 6379
                },
                "NodeGroupMembers": [
                    {
                        "CacheClusterId": "cc-redis-cache-cluster1-001",
                        "CacheNodeId": "0001",
                        "ReadEndpoint": {
                            "Address": "cc-redis-cache-cluster1-001.abcabc.0001.use1.cache.amazonaws.com",
                            "Port": 6379
                        },
                        "PreferredAvailabilityZone": "us-east-1c",
                        "CurrentRole": "primary"
                    },
                    {
                        "CacheClusterId": "cc-redis-cache-cluster1-002",
                        "CacheNodeId": "0001",
                        "ReadEndpoint": {
                            "Address": "cc-redis-cache-cluster1-002.abcabc.0001.use1.cache.amazonaws.com",
                            "Port": 6379
                        },
                        "PreferredAvailabilityZone": "us-east-1b",
                        "CurrentRole": "replica"
                    }
                ]
            }
        ],
        "AutomaticFailover": "disabled",
        "MultiAZ": "disabled",
        "SnapshotRetentionLimit": 0,
        "SnapshotWindow": "07:00-08:00",
        "ClusterEnabled": false,
        "CacheNodeType": "cache.t2.micro",
        "TransitEncryptionEnabled": false,
        "AtRestEncryptionEnabled": false,
        "ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-redis-cache-cluster",
        "LogDeliveryConfigurations": [],
        "ReplicationGroupCreateTime": "2022-05-13T17:47:40.423000+00:00",
        "DataTiering": "disabled"
    }
}

03 Repeat steps no. 1 and 2 for each Redis cache cluster that you want to reconfigure, available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
elasticache
describe-cache-clusters
modify-cache-cluster
modify-replication-group

CloudFormation Documentation
Amazon ElastiCache resource type reference

Terraform Documentation
AWS Provider

Publication date Dec 20, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

ElastiCache Engine Version

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS CLI

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS CLI

References

Related ElastiCache rules