ElastiCache nodes not created across multi-AZ

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > ElastiCache nodes not created across multi-AZ

Metadata

Id: cfdef2e5-1fe4-4ef4-bea8-c56e08963150

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Availability

Learn More

Provider Reference

Description

Multi-node Amazon ElastiCache (Memcached) clusters must be deployed across multiple Availability Zones to maintain availability and avoid complete cluster outage if a single Availability Zone fails.

The AZMode property on AWS::ElastiCache::CacheCluster must be set to cross-az for resources with Engine set to memcached and NumCacheNodes greater than 1. If AZMode is omitted, the cluster defaults to single-az, so resources missing AZMode or with AZMode not equal to cross-az will be flagged as a configuration risk.

Secure configuration example:

MyCacheCluster:
  Type: AWS::ElastiCache::CacheCluster
  Properties:
    Engine: memcached
    NumCacheNodes: 3
    AZMode: cross-az
    CacheNodeType: cache.m6g.large

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  myCacheCluster:
    Type: 'AWS::ElastiCache::CacheCluster'
    Properties:
      AZMode: cross-az
      CacheNodeType: cache.m3.medium
      Engine: memcached
      NumCacheNodes: '3'
      PreferredAvailabilityZones:
        - us-west-2a
        - us-west-2a
        - us-west-2b

{
  "Resources": {
    "myCacheCluster2": {
      "Type": "AWS::ElastiCache::CacheCluster",
      "Properties": {
        "AZMode": "cross-az",
        "CacheNodeType": "cache.m3.medium",
        "Engine": "memcached",
        "NumCacheNodes": "3",
        "PreferredAvailabilityZones": [
          "us-west-2a",
          "us-west-2a",
          "us-west-2b"
        ]
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  myCacheCluster4:
    Type: 'AWS::ElastiCache::CacheCluster'
    Properties:
      CacheNodeType: cache.m3.medium
      Engine: memcached
      NumCacheNodes: '3'
      PreferredAvailabilityZones:
        - us-west-2a
        - us-west-2a
        - us-west-2b

{
  "Resources": {
    "myCacheCluster5": {
      "Type": "AWS::ElastiCache::CacheCluster",
      "Properties": {
        "AZMode": "single-az",
        "CacheNodeType": "cache.m3.medium",
        "Engine": "memcached",
        "NumCacheNodes": "3",
        "PreferredAvailabilityZones": [
          "us-west-2a",
          "us-west-2a",
          "us-west-2b"
        ]
      }
    }
  }
}

{
  "Resources": {
    "myCacheCluster6": {
      "Type": "AWS::ElastiCache::CacheCluster",
      "Properties": {
        "CacheNodeType": "cache.m3.medium",
        "Engine": "memcached",
        "NumCacheNodes": "3",
        "PreferredAvailabilityZones": [
          "us-west-2a",
          "us-west-2a",
          "us-west-2b"
        ]
      }
    }
  }
}