ElastiCache without VPC

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > ElastiCache without VPC

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: ba766c53-fe71-4bbb-be35-b6803f2ef13e

Cloud Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Networking and Firewall

Learn More

Provider Reference

Description

Amazon ElastiCache clusters must be launched inside a VPC to provide network isolation and reduce the risk of unintended public or cross-account access.

In CloudFormation, AWS::ElastiCache::CacheCluster resources must include the CacheSubnetGroupName property. Resources with this property missing or set to null will be flagged because they may be created outside a VPC.

Ensure CacheSubnetGroupName references an AWS::ElastiCache::SubnetGroup (or a valid subnet group name) that contains only VPC subnet IDs so the cluster is deployed into the intended VPC subnets.

Secure configuration example:

MyCacheSubnetGroup:
  Type: AWS::ElastiCache::SubnetGroup
  Properties:
    Description: Subnet group for ElastiCache
    SubnetIds:
      - subnet-01234567
      - subnet-89abcdef

MyCacheCluster:
  Type: AWS::ElastiCache::CacheCluster
  Properties:
    CacheSubnetGroupName: !Ref MyCacheSubnetGroup
    Engine: redis
    CacheNodeType: cache.t3.micro
    NumCacheNodes: 1

Compliant Code Examples

Resources:
  ElasticacheCluster:
    Type: 'AWS::ElastiCache::CacheCluster'
    Properties:    
      Engine: memcached
      CacheNodeType: cache.t2.micro
      NumCacheNodes: '1'
      CacheSubnetGroupName: default

{
  "Resources": {
    "ElasticacheCluster": {
      "Type": "AWS::ElastiCache::CacheCluster",
      "Properties": {
          "CacheNodeType": "cache.m3.medium",
          "Engine": "memcached",
          "NumCacheNodes": "1",
          "CacheSubnetGroupName": "default"
      }
   }
  }
}

Non-Compliant Code Examples

{
  "Resources": {
    "ElasticacheCluster": {
      "Type": "AWS::ElastiCache::CacheCluster",
      "Properties": {
          "CacheNodeType": "cache.m3.medium",
          "Engine": "memcached",
          "NumCacheNodes": "1"
      }
   }
  }
}

Resources:
  ElasticacheCluster:
    Type: 'AWS::ElastiCache::CacheCluster'
    Properties:    
      Engine: memcached
      CacheNodeType: cache.t2.micro
      NumCacheNodes: '1'