ElastiCache clusters should be provisioned in a VPC

Docs > Datadog Security > OOTB Rules > ElastiCache clusters should be provisioned in a VPC

Description

Provision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.

Rationale

Using the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.

Remediation

From the console

Follow the Getting started with Amazon VPC docs to configure AWS EC2-VPC for your ElastiCache clusters.

From the command line

Run create-vpc to create a new Virtual Private Cloud (VPC) for your ElastiCache cluster.

create-vpc.sh

  aws ec2 create-vpc
      --cidr-block 10.0.0.0/16
  

Run aws ec2 create-internet-gateway to create a new AWS Internet Gateway for your new VPC.
Run attach-internet-gateway with the VPC ID returned in step 1, and the internet gateway ID returned in step 2.

create-subnet.sh

  aws ec2 create-subnet
      --vpc-id vpc-ab12c345
      --cidr-block 10.0.1.0/24
  

Run create-route-table with your VPC ID created in step 1.

create-route-table.sh

  aws ec2 create-route-table
      --vpc-id vpc-ab12c345
  

Run associated-route-table with the subnet ID returned in step 3, and the route table ID returned in step 4.

associate-route-table.sh

  aws ec2 associate-route-table
    --route-table-id rta-12345678
    --subnet-id subnet-ab123c45
  

Run create-route to add a new route to your new VPC route table.

create-route.sh

  aws ec2 create-route
    --route-table-id rta-12345678
    --destination-cidr-block 0.0.0.0/0
    --gateway-id gwi-123a4b56
  

Run create-security-group with your new VPC ID to create a security group for your new cluster.

create-security-group.sh

  aws ec2 create-security-group
    --group-name ECSecurityGroup
    --description "Redis CC Security Group"
    --vpc-id vpc-ab12c345
  

Run authorize-security-group-ingress to add more inbound rules to the security group created in step 7.

authorize-security-group-ingress.sh

  aws ec2 authorize-security-group-ingress
    --group-id se-a12345b0
    --protocol tcp
    --port 1234
    --cidr 10.0.0.0/16
  

Run create-cache-cluster to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created ElastiCache cluster configuration attributes returned in the steps above.

create-cache-cluster.sh

  aws elasticache create-cache-cluster
    --cache-cluster-id vpccachecluster
    --az-mode single-az
    --cache-node-type cache.m5.large
    --num-cache-nodes 1
    --engine redis
    --engine-version "2.6.13"
    --security-group-ids "se-a12345b0"
    --port 1234
    --auto-minor-version-upgrade
  