Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Reserved Cache Node Recent Purchases

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC-008

Ensure that all Amazon ElastiCache Reserved Cache Node (RCN) purchases are reviewed every 7 days in order to confirm that no unwanted reservation purchase has been placed recently.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

By checking your ElastiCache Reserved Cache Nodes on a regular basis you can detect and cancel any unwanted purchases placed within your AWS account and avoid unexpected charges on your AWS monthly bill.

Note: You can change the default threshold value (7 days) for the review time range within the rule settings available on the Cloud Conformity console.

Audit

To identify all ElastiCache RCN purchases placed recently in your AWS account for review purposes, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

03 In the left navigation panel, under ElastiCache Dashboard, click Reserved Nodes.

04 Choose the active ElastiCache Reserved Cache Node that you want to examine.

05 Click the Show or Hide Item Details button displayed for the selected RCN to expand the reservation details panel and check the Start Date attribute value (e.g. March 20, 2017 at 14:25:09 PM UTC+3). If the Start Date value shows an AWS ElastiCache RCN purchase request placed in the last 7 days and you are unaware of this purchase, verify your AWS CloudTrail logs or contact Amazon Web Services using the Support Center console to solve the unwanted RCN purchase issue (see Remediation/Resolution section for more details).

06 Repeat step no. 4 and 5 to check the RCN purchase request date for other ElastiCache Reserved Cache Nodes available within the selected region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-reserved-cache-nodes command (OSX/Linux/UNIX) using custom query filters to list the unique identifiers of all ElastiCache RCNs purchased in the selected AWS region: 

aws elasticache describe-reserved-cache-nodes
    --region us-east-1
    --output table
    --query 'ReservedCacheNodes[*].ReservedCacheNodeId'

02 The command output should return a table with the requested RCN identifiers: 

------------------------
| ReservedCacheNodeIds |
+----------------------+
| cc-redis-cache-rcn-1 |
| cc-redis-cache-rcn-2 |
+----------------------+

03 Run again describe-reserved-cache-nodes command (OSX/Linux/UNIX) using your Amazon ElastiCache RCN name returned at the previous step as identifier with custom query filtering to describe the date at which the ElastiCache reservation purchase request was placed: 

aws elasticache describe-reserved-cache-nodes
    --region us-east-1
    --reserved-cache-node-id cc-redis-cache-rcn-1
    --query 'ReservedCacheNodes[*].StartTime'

04 The command output should return the date when the requested ElastiCache reservation started: 

[
    "StartTime": "2017-03-20T14:25:09.272Z"
]

If the date returned as StartTime parameter value indicates an ElastiCache RCN purchase request placed in the last 7 days and you are unaware of this purchase, verify your AWS CloudTrail logs or contact AWS using the Support Center console to solve the issue.

05 Repeat step no. 3 and 4 to check the purchase request timestamp for other ElastiCache reservations available in the selected region.

06 Change the AWS region by updating the --region command parameter value and perform the entire audit process for other regions.

Remediation / Resolution

Case A: Check the Cloudtrail service logs (if Amazon Cloudtrail is enabled) from the date when the ElastiCache RCN purchase request was placed to determine the request origin and context. To find and analyze the necessary AWS API logging data recorded by CloudTrail, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel select Trails.

04 Under Name column, select the trail name that you need to examine, available in the same AWS region with the identified ElastiCache RCN unwanted purchases.

05 Within Storage location section, check the name of the S3 bucket used to store the trail log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07 Select the S3 bucket utilized to store the CloudTrail logging data and use the date/time bucket name format (e.g. cloudtrail-logging-bucket/AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/20) to open the right log file (S3 object) for analysis.

08 Based on the log file name (i.e. 123456789012_CloudTrail_us-east-1_20170320T1425Z_09bTWvdrp5cuBq96Z.json.gz), identify the CloudTrail log file that contains the API activity recorded on the same date as the unwanted ElastiCache RCN purchase request, click the Actions dropdown button from the dashboard top menu and select Open to open the log file in your browser.

09 Once the right CloudTrail log file is opened, search for the following attributes in order to identify the log record that contains the API information of the purchase request:

  1. "eventSource":"elasticache.amazonaws.com" – for the name of the AWS service used to place the RCN purchase request.
  2. "eventName":"PurchaseReservedCacheNodesOffering" – for the name of the AWS API action used to place the RCN purchase request.
  3. "eventTime":"2017-03-20T14:25:09.272Z" – for the date when the ElastiCache RCN purchase request was placed.

10 Identify the right CloudTrail log record based on the attributes listed at the previous step and verify the "userIdentity" attribute value to determine the selected unwanted ElastiCache RCN purchase request origin and context.

11 Repeat steps no. 7 – 10 to verify the request origin and context for other unwanted ElastiCache reservation purchases placed in the selected region.

12 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the names of all Amazon CloudTrail trails currently available within the selected AWS region: 

aws cloudtrail describe-trails
    --region us-east-1
    --output table
    --query 'trailList[*].Name'

02 The command output should return a table with the requested trail name(s): 

---------------------------
|     DescribeTrails      |
+-------------------------+
|  aws-global-env-trail   |
+-------------------------+

03 Run again describe-trails command (OSX/Linux/UNIX) using the name of the trail returned at the previous step and custom query filters to get the name of the S3 bucket used to store the log files for the selected trail: 

aws cloudtrail describe-trails
    --region us-east-1
    --trail-name-list aws-global-env-trail
    --query 'trailList[*].S3BucketName'

04 The command output should return the name of the requested S3 bucket: 

[
    "aws-env-trail-logs"
]

05 Run list-objects command (OSX/Linux/UNIX) to list the names of all S3 objects available within the selected S3 bucket: 

aws s3api list-objects
    --region us-east-1
    --bucket aws-env-trail-logs
    --query 'Contents[].Key'

06 The command output should expose the name of each S3 object (i.e. CloudTrail log file) currently available in the selected S3 bucket: 

[
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/20/123456789012_
     CloudTrail_us-east-1_20170320T1425Z_09bTWvdrp5cuBq96Z.json.gz",
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/20/123456789012_
     CloudTrail_us-east-1_20170320T1425Z_65ZWtvmCqOcuwXIo.json.gz",
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/20/123456789012_
     CloudTrail_us-east-1_20170320T1425Z_ntG0rPDvTVMKJdLe.json.gz",
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/20/123456789012_
     CloudTrail_us-east-1_20170320T1425Z_00euohtdKFqkNjPH.json.gz"
]

07 Run get-object command (OSX/Linux/UNIX) to get the right CloudTrail log file from the specified S3 bucket and download it to your machine: 

aws s3api get-object
    --region us-east-1
    --bucket aws-env-trail-logs
    --key AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/20/123456789012_CloudTrail_us-east-1_20170320T1425Z_09bTWvdrp5cuBq96Z.json.gz 20170320T1425Z_09bTWvdrp5cuBq96Z.json.gz

08 The command output should return the GET request metadata: 

{
    "AcceptRanges": "bytes",
    "ContentType": "application/json",
    "LastModified": "Sat, 20 Mar 2017 14:25:09 GMT",
    "ContentLength": 10281,
    "ContentEncoding": "gzip",
    "ETag": "\"4dfbfa01349b8713ec69e0e4cf6968ea\"",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}

09 Now extract and open the required CloudTrail log file, downloaded at the previous step, e.g. 20170320T1425Z_09bTWvdrp5cuBq96Z.json.gz.

10 Once the log file is opened, search for the following attributes in order to identify the required log record:

  1. "eventSource":"elasticache.amazonaws.com" – for the name of the AWS service used to place the RCN purchase request.
  2. "eventName":"PurchaseReservedCacheNodesOffering" – for the name of the AWS API action used to place the RCN purchase request.
  3. "eventTime":"2017-03-20T14:25:09.272Z" – for the date when the ElastiCache RCN purchase request was placed.

11 Identify the right CloudTrail log record entry based on the attributes listed above and verify the "userIdentity" attribute value to determine the unwanted ElastiCache RCN purchase request origin and context.

12 Repeat steps no. 7 – 11 to verify the request origin and context for other unwanted ElastiCache RCN purchases available within the selected region.

13 Change the AWS region by updating the --region command parameter value and perform the entire process for other regions.

Case B: Another way to mitigate unwanted ElastiCache Reserved Cache Node purchase requests is to contact Amazon Web Services and ask for RCN purchases cancellation. To create the necessary case through the AWS Support Center, perform the following:

Note: Requesting Amazon to cancel your unwanted ElastiCache RCN purchase requests using AWS Management Console or AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center page at https://console.aws.amazon.com/support/.

03 On Support Center page, click Create case button to initiate the process.

04 On the Create Case page, perform the following:

  1. Under Regarding, select Account and Billing Support option.
  2. Choose Billing from the Service dropdown list to send your request to AWS Billing and Cost Management service.
  3. Select Reserved Cache Nodes from the Category dropdown list.
  4. Inside the Subject box, enter a subject for your request such as "Cancel unwanted AWS ElastiCache Reserved Cache Node purchase".
  5. Inside the Description textbox, provide the reason why do you need to cancel your recent ElastiCache RCN purchase and explain how and when this unwanted purchase request was placed. This will help AWS support team to evaluate accordingly your request.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the cancellation request for your unwanted ElastiCache Reserved Cache Node purchase to Amazon Web Services. A customer support representative will contact you shortly.

References

Publication date Mar 14, 2017

Related ElastiCache rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

ElastiCache Reserved Cache Node Recent Purchases

Risk Level: Low