01 Run describe-replication-groups command (OSX/Linux/UNIX) to describe the configuration information available for the Redis cache cluster (replication group) that you want to reconfigure:
aws elasticache describe-replication-groups
--replication-group-id cc-redis-cache-cluster
--query 'ReplicationGroups'
02 The command output should return the requested cache cluster configuration information. This information will be useful for creating the new Redis cluster:
[
{
"ReplicationGroupId": "cc-redis-cache-cluster",
"Description": " ",
"GlobalReplicationGroupInfo": {},
"Status": "available",
"PendingModifiedValues": {},
"MemberClusters": [
"cc-redis-cache-cluster-001",
"cc-redis-cache-cluster-002"
],
"NodeGroups": [
{
"NodeGroupId": "0001",
"Status": "available",
"PrimaryEndpoint": {
"Address": "cc-redis-cache-cluster.abcabc.ng.0001.use1.cache.amazonaws.com",
"Port": 6379
},
"ReaderEndpoint": {
"Address": "cc-redis-cache-cluster-ro.abcabc.ng.0001.use1.cache.amazonaws.com",
"Port": 6379
},
"NodeGroupMembers": [
{
"CacheClusterId": "cc-redis-cache-cluster-001",
"CacheNodeId": "0001",
"ReadEndpoint": {
"Address": "cc-redis-cache-cluster-001.abcabc.0001.use1.cache.amazonaws.com",
"Port": 6379
},
"PreferredAvailabilityZone": "us-east-1d",
"CurrentRole": "primary"
},
{
"CacheClusterId": "cc-redis-cache-cluster-002",
"CacheNodeId": "0001",
"ReadEndpoint": {
"Address": "cc-redis-cache-cluster-002.abcabc.0001.use1.cache.amazonaws.com",
"Port": 6379
},
"PreferredAvailabilityZone": "us-east-1c",
"CurrentRole": "replica"
}
]
}
],
"AutomaticFailover": "disabled",
"MultiAZ": "disabled",
"SnapshotRetentionLimit": 0,
"SnapshotWindow": "05:00-06:00",
"ClusterEnabled": false,
"CacheNodeType": "cache.t2.micro",
"AuthTokenEnabled": false,
"TransitEncryptionEnabled": false,
"AtRestEncryptionEnabled": false,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-redis-cache-cluster",
"LogDeliveryConfigurations": [],
"ReplicationGroupCreateTime": "2022-05-13T06:39:20.168000+00:00",
"DataTiering": "disabled"
}
]
03 Re-create the source Amazon ElastiCache Redis cache cluster (replication group) with the create-replication-group command (OSX/Linux/UNIX), using the cluster configuration information returned at the previous step and the --transit-encryption-enabled and --at-rest-encryption-enabled command parameters to enable in-transit and at-rest encryption for the new Redis cache cluster. To use your own Amazon KMS Customer Master Key (CMK) for encryption at rest, include the --kms-key-id parameter in the command request:
aws elasticache create-replication-group
--region us-east-1
--replication-group-id "cc-encrypted-redis-cache-cluster"
--replication-group-description "Encrypted Redis Cache Replication Group" --engine "redis"
--num-cache-clusters 2
--cache-node-type "cache.t2.micro"
--transit-encryption-enabled
--at-rest-encryption-enabled
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
04 The command output should return the metadata available for the new Redis cache cluster:
{
"ReplicationGroup": {
"ReplicationGroupId": "cc-encrypted-redis-cache-cluster",
"Description": "Encrypted Redis Cache Replication Group",
"GlobalReplicationGroupInfo": {},
"Status": "creating",
"PendingModifiedValues": {},
"MemberClusters": [
"cc-encrypted-redis-cache-cluster-001",
"cc-encrypted-redis-cache-cluster-002"
],
"AutomaticFailover": "disabled",
"MultiAZ": "disabled",
"SnapshotRetentionLimit": 0,
"SnapshotWindow": "04:00-05:00",
"ClusterEnabled": false,
"CacheNodeType": "cache.t2.micro",
"TransitEncryptionEnabled": true,
"AtRestEncryptionEnabled": true,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-encrypted-redis-cache-cluster",
"LogDeliveryConfigurations": [],
"ReplicationGroupCreateTime": "2022-05-17T11:40:46.317000+00:00",
"DataTiering": "disabled"
}
}
05 Once you have replaced the source cluster endpoint within your application code, it's safe to terminate the source cache cluster in order to stop incurring charges for the AWS resource. To remove the source (non-compliant) Redis cluster from your AWS account, run delete-replication-group command (OSX/Linux/UNIX):
aws elasticache delete-replication-group
--region us-east-1
--replication-group-id cc-redis-cache-cluster
06 The output should return the delete-replication-group command request metadata:
{
"ReplicationGroup": {
"ReplicationGroupId": "cc-redis-cache-cluster",
"Description": " ",
"GlobalReplicationGroupInfo": {},
"Status": "deleting",
"PendingModifiedValues": {},
"AutomaticFailover": "disabled",
"MultiAZ": "disabled",
"SnapshotRetentionLimit": 0,
"SnapshotWindow": "05:00-06:00",
"TransitEncryptionEnabled": false,
"AtRestEncryptionEnabled": false,
"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-redis-cache-cluster",
"LogDeliveryConfigurations": [],
"ReplicationGroupCreateTime": "2022-05-13T06:39:20.168000+00:00",
"DataTiering": "disabled"
}
}
07 Repeat steps no. 1 – 6 for each Redis cache cluster that you want to re-create, available in the selected AWS region.
08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Remediation process for other regions.