Profile Applicability:

  • Level 1

Description:

Amazon ElastiCache is a fully managed in-memory cache service, and Redis is one of the engines supported by ElastiCache. Automatic minor version upgrades ensure that Redis clusters are always running on the latest stable minor version of the Redis engine. This SOP ensures that automatic minor version upgrades are enabled for Redis cache clusters, allowing the system to automatically apply minor updates and patches as they become available.

By enabling automatic minor upgrades, ElastiCache Redis clusters will receive the latest updates, including bug fixes, performance improvements, and security patches, without requiring manual intervention. This feature helps ensure the cache cluster is always running the most stable and secure version of Redis.

Rationale:

Enabling automatic minor version upgrades in ElastiCache Redis offers the following benefits:

  • Security: Automatically applies critical security updates, reducing the risk of vulnerabilities and exploits.

  • Stability: Ensures that Redis instances are running the most stable and tested version, improving system reliability.

  • Operational Efficiency: Reduces the need for manual intervention to apply minor version updates, saving time and effort.

  • Compliance: Helps ensure that Redis clusters meet compliance requirements for patch management by automatically keeping the system updated.

Impact:

Pros:

  • Security: Automatically applies security patches and updates to prevent vulnerabilities.

  • Reduced Management Overhead: Eliminates the need for manual intervention to apply minor version updates.

  • Stability: Ensures the Redis cache cluster is running on a stable version with the latest performance and bug fixes.

  • Compliance: Supports compliance with industry standards requiring the timely application of software patches.

Cons:

  • Operational Overhead during Updates: Although minor updates typically do not cause issues, they could cause temporary downtime or performance degradation during the upgrade process.

  • Compatibility: In rare cases, automatic upgrades could introduce compatibility issues with custom applications or configurations that rely on a specific Redis version.

Default Value:

By default, automatic minor version upgrades are enabled for ElastiCache Redis clusters. However, the setting can be disabled during cluster creation or modification.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticache:DescribeCacheClusters

    • elasticache:ModifyCacheCluster

  • AWS CLI installed and configured.

  • Basic understanding of ElastiCache Redis, cluster configurations, and minor version upgrades.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to ElastiCache under Services.

  3. Go to Redis clusters in the ElastiCache Dashboard.

  4. Select the Redis cache cluster you want to review.

  5. Check the Maintenance section under the Cluster Details tab.

    • Ensure that Automatic Minor Version Upgrade is enabled (the option should be checked).

Using AWS CLI:

To describe the ElastiCache Redis cluster and check if automatic minor version upgrades are enabled, run:

aws elasticache describe-cache-clusters --query 'CacheClusters[*].{CacheClusterId:CacheClusterId,AutoMinorVersionUpgrade:AutoMinorVersionUpgrade}'

The output should show AutoMinorVersionUpgrade as true for clusters with automatic minor upgrades enabled: Example output:

[

  {

    "CacheClusterId": "my-redis-cluster",

    "AutoMinorVersionUpgrade": true

  }

]

If AutoMinorVersionUpgrade is false, update the cluster settings to enable the upgrade.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console 

  2. Navigate to ElastiCache.

  3. In the ElastiCache Dashboard, go to Redis clusters and select the cluster you wish to modify.

  4. In the Cluster Details section, find the Maintenance settings.

  5. Ensure that Automatic Minor Version Upgrade is enabled.

  6. If it is disabled, enable Automatic Minor Version Upgrade and save the changes.

  7. This will ensure that the Redis cluster will automatically receive minor updates as they are released.

Using AWS CLI:

To enable automatic minor version upgrades for an existing Redis cluster, run:

aws elasticache modify-cache-cluster \
  --cache-cluster-id <cluster-id> \
  --auto-minor-version-upgrade true \
  --apply-immediately

To confirm the update, run:

aws elasticache describe-cache-clusters --query 'CacheClusters[*].{CacheClusterId:CacheClusterId,AutoMinorVersionUpgrade:AutoMinorVersionUpgrade}'

Verify that the AutoMinorVersionUpgrade field is set to true.

Backout Plan:

If enabling automatic minor version upgrades causes issues (e.g., compatibility with specific versions):

Identify the affected Redis cluster.

Disable automatic minor version upgrades by running the following command:

aws elasticache modify-cache-cluster \

  --cache-cluster-id <cluster-id> \

  --auto-minor-version-upgrade false \

  --apply-immediately

Verify that the AutoMinorVersionUpgrade field is now set to false and the Redis cluster is not upgraded automatically.

Note:

  • Minor Upgrades: Minor version updates generally include bug fixes and performance improvements, and they should not cause major issues. However, it is advisable to test new versions in a staging environment before applying them in production.

  • Update During Off-Peak Hours: For critical production environments, schedule upgrades during off-peak hours to minimize the impact of temporary performance degradation.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.