ElastiCache Engine Version

Risk level: Medium (should be achieved)

Rule ID: EC-013

Ensure that your Amazon ElastiCache clusters are using the stable latest version of Redis/Memcached cache engine in order to adhere to AWS best practices, benefit from better security by having the most recent vulnerability patches, receive the latest Redis and Memcached software features and get the latest performance optimizations.

This rule can help you with the following compliance standards:

Payment Card Industry Data Security Standard (PCI DSS)
APRA
MAS

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Performance
efficiency

Reliability

Security

When running your ElastiCache clusters with the latest version of Redis/Memcached cache engine you will benefit from new features and enhancements, better performance, better memory management, bug fixes and security patches. For example, upgrading your ElastiCache Redis clusters version to 3.2.6 will get you all the improvements that come with Redis engine version 3 (data partitioning, geospatial indexing, online cluster resizing, replica scaling, etc) plus the ones added by AWS such as support for newer cache node types, in-transit and at-rest encryption, and support for HIPAA compliance. For ElastiCache Memcached clusters, upgrading the engine version to 1.4.34 will add several bug fixes, systemd service hardening, improved support for large items over 1MB and the ability to dynamically increase the amount of memory available to the engine without having to restart the cache cluster.

Audit

To determine if your AWS ElastiCache clusters are using the latest version of Redis/Memcached cache engine, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

03 In the left navigation panel, under ElastiCache Dashboard, click Memcached to access the cache clusters created with the Memcached in-memory cache engine or Redis to access the clusters created with the Redis engine.

04 Choose the ElastiCache Memcached/Redis cache cluster that you want to examine and click on the Show/Hide Item Details button to expand the panel with the AWS resource configuration details.

05 On the cache cluster details panel, check Engine Version Compatibility attribute value to determine the Memcached/Redis engine version.

06 Use this URL to check the latest stable version of the Memcached engine supported by AWS and this URL to check the latest version of the Redis cache engine supported.

07 Compare the latest Memcached/Redis engine version supported by AWS with the version used by your existing cache clusters, listed as value for the Engine Version Compatibility attribute. If there is a newer Memcached/Redis engine version released and supported by AWS ElastiCache service, the cache engine version for the selected ElastiCache clusters should be upgraded to benefit from all the security and performance improvements that come with the latest version of the software.

08 Repeat steps no. 4 - 7 to verify the cache engine version for other AWS ElastiCache clusters available within the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-cache-clusters command (OSX/Linux/UNIX) using custom query filters to list the cache engine version utilized for each ElastiCache cluster provisioned in the selected AWS region:

aws elasticache describe-cache-clusters
	--region us-east-1
	--output table
	--query 'CacheClusters[*].[CacheClusterId, Engine, EngineVersion]'

02 The command output should return a table that contains sets of metadata representing the cluster identifier (first column), the cache engine type – Memcached or Redis (second column) and the cache engine version in use (third column):

-----------------------------------------------------
|               DescribeCacheClusters               |
+--------------------------+-------------+----------+
|  cc-memcached-cache      |  memcached  |  1.4.14  |
|  cc-redis-web-cache-001  |  redis      |  3.2.4   |
|  cc-redis-web-cache-002  |  redis      |  3.2.4   |
+--------------------------+-------------+----------+

03 Now open this URL to check the latest stable version of the Memcached engine supported by AWS and this URL to check the latest version of the Redis cache engine supported.

04 Compare the latest Memcached/Redis engine version supported by AWS with the version used by your existing cache clusters, listed at the previous step in the third column. If there is a newer Memcached/Redis engine version released and supported by AWS ElastiCache service, the cache engine version for your existing ElastiCache clusters should be upgraded to benefit from all the security and performance improvements that come with the latest version of the software.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 4 to perform the audit process for other regions.

Remediation / Resolution

To upgrade the Memcached/Redis cache engine version for your existing Amazon ElastiCache clusters, perform the following:

Note 1: ElastiCache Redis cache clusters with cluster mode enabled does not support changing engine version.
Note 2: Because the Memcached engine does not support persistence, the engine version upgrade is a disruptive process which clears all cache data within the ElastiCache Memcached cluster.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

04 Select the ElastiCache Memcached/Redis cache cluster that you want to reconfigure and click on the Modify button from the dashboard top menu to start the engine version upgrade process.

05 Inside Modify Cluster dialog box, select the latest stable version available from the Engine Version Compatibility dropdown list for the selected Memcached/Redis cache cluster. Select Apply Immediately checkbox if you want to apply the engine version change immediately. If Apply Immediately is not selected, the change will be processed during the next maintenance window. For Memcached clusters, changing the engine version clears all the existing cache data. For Redis clusters, the primary nodes become unavailable to the service requests during the upgrade process.

06 Click Modify to start the engine version upgrade process. The cluster status should change to modifying, then back to available once the process is complete.

07 Repeat steps no. 4 - 6 to upgrade the Memcached/Redis cache engine version for other AWS ElastiCache clusters available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Based on the cache engine type used by your ElastiCache cluster, perform the following commands:

To upgrade the cache engine version for an AWS ElastiCache Memcached cluster, run modify-cache-cluster command (OSX/Linux/UNIX) using the name of the cache cluster that you want to reconfigure as identifier (see Audit section part II to identify the right resource). Include --apply-immediately parameter in your request if you want to apply the engine version change immediately. If --apply-immediately is not specified, the change will be processed during the next maintenance window:

aws elasticache modify-cache-cluster
	--region us-east-1
	--cache-cluster-id cc-memcached-cache
	--engine-version 1.4.34
	--apply-immediately

The command output should return the configuration details (metadata) for the selected AWS ElastiCache cluster:

{
    "CacheCluster": {
        "Engine": "memcached",
        "CacheParameterGroup": {
            "CacheParameterGroupName": "default.memcached1.4",
            "ParameterApplyStatus": "in-sync"
        },
        "CacheClusterId": "cc-memcached-cache",
        "PreferredAvailabilityZone": "us-east-1a",
        "ConfigurationEndpoint": {
            "Port": 11211,
            "Address": "cc-memcached-cache.abc.cache.amazonaws.com"
        },
        "AtRestEncryptionEnabled": false,

        ...

        "CacheClusterCreateTime": "2016-11-20T10:56:56.932Z",
        "AutoMinorVersionUpgrade": true,
        "CacheClusterStatus": "modifying",
        "NumCacheNodes": 2,
        "TransitEncryptionEnabled": false,
        "CacheSubnetGroupName": "default",
        "EngineVersion": "1.4.24",
        "PendingModifiedValues": {
            "EngineVersion": "1.4.34"
        },
        "PreferredMaintenanceWindow": "sun:07:00-sun:08:00",
        "CacheNodeType": "cache.r4.large"
    }
}

To upgrade the cache engine version for an AWS ElastiCache Redis cluster, run modify-replication-group command (OSX/Linux/UNIX) using the name of the cluster (replication group) that you want to reconfigure as identifier (see Audit section part II to identify the right ElastiCache resource). Include --apply-immediately parameter in your request if you want to apply the engine version change immediately. If --apply-immediately is not specified, the change will be processed during the next maintenance window:

aws elasticache modify-replication-group
	--region us-east-1
	--replication-group-id cc-redis-web-cache
	--engine-version 3.2.6
	--apply-immediately

The command output should return the configuration details (metadata) for the selected AWS ElastiCache cluster:

{
    "ReplicationGroup": {
        "Status": "modifying",
        "Description": "Redis Production Web Cache",
        "AtRestEncryptionEnabled": false,
        "ClusterEnabled": false,
        "ReplicationGroupId": "cc-redis-web-cache",

        ...

        "AutomaticFailover": "disabled",
        "TransitEncryptionEnabled": false,
        "MemberClusters": [
            "cc-redis-web-cache-001",
            "cc-redis-web-cache-002"
        ],
        "CacheNodeType": "cache.r4.xlarge",
        "PendingModifiedValues": {}
    }
}

02 Repeat step no. 1 to upgrade the Memcached/Redis cache engine version for other AWS ElastiCache clusters available in the current region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the process for other regions.

References

AWS Command Line Interface (CLI) Documentation
elasticache
describe-cache-clusters
modify-cache-cluster
modify-replication-group

Publication date Dec 20, 2017

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

ElastiCache Engine Version

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ElastiCache rules