ElastiCache clusters should be provisioned in a VPC

Docs > Datadog Security > OOTB Rules > ElastiCache clusters should be provisioned in a VPC

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

Provision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.

Rationale

Using the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.

Remediation

From the console

Follow the Getting started with Amazon VPC docs to configure AWS EC2-VPC for your ElastiCache clusters.

From the command line

Run create-vpc to create a new Virtual Private Cloud (VPC) for your ElastiCache cluster.

create-vpc.sh

  aws ec2 create-vpc
      --cidr-block 10.0.0.0/16
  

Run aws ec2 create-internet-gateway to create a new AWS Internet Gateway for your new VPC.
Run attach-internet-gateway with the VPC ID returned in step 1, and the internet gateway ID returned in step 2.

create-subnet.sh

  aws ec2 create-subnet
      --vpc-id vpc-ab12c345
      --cidr-block 10.0.1.0/24
  

Run create-route-table with your VPC ID created in step 1.

create-route-table.sh

  aws ec2 create-route-table
      --vpc-id vpc-ab12c345
  

Run associated-route-table with the subnet ID returned in step 3, and the route table ID returned in step 4.

associate-route-table.sh

  aws ec2 associate-route-table
    --route-table-id rta-12345678
    --subnet-id subnet-ab123c45
  

Run create-route to add a new route to your new VPC route table.

create-route.sh

  aws ec2 create-route
    --route-table-id rta-12345678
    --destination-cidr-block 0.0.0.0/0
    --gateway-id gwi-123a4b56
  

Run create-security-group with your new VPC ID to create a security group for your new cluster.

create-security-group.sh

  aws ec2 create-security-group
    --group-name ECSecurityGroup
    --description "Redis CC Security Group"
    --vpc-id vpc-ab12c345
  

Run authorize-security-group-ingress to add more inbound rules to the security group created in step 7.

authorize-security-group-ingress.sh

  aws ec2 authorize-security-group-ingress
    --group-id se-a12345b0
    --protocol tcp
    --port 1234
    --cidr 10.0.0.0/16
  

Run create-cache-cluster to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created ElastiCache cluster configuration attributes returned in the steps above.

create-cache-cluster.sh

  aws elasticache create-cache-cluster
    --cache-cluster-id vpccachecluster
    --az-mode single-az
    --cache-node-type cache.m5.large
    --num-cache-nodes 1
    --engine redis
    --engine-version "2.6.13"
    --security-group-ids "se-a12345b0"
    --port 1234
    --auto-minor-version-upgrade
  