🛡️ AWS ElastiCache Redis Cluster Auto Minor Version Upgrade is not enabled🟢

• Contextual name: 🛡️ Redis Cluster Auto Minor Version Upgrade is not enabled🟢
• ID: /ce/ca/aws/elasticache/redis-cluster-auto-minor-version-upgrade
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS ElastiCache Cluster
  • 🔌 AWS ElastiCache Cluster - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies AWS ElastiCache for Redis clusters where the Auto Minor Version Upgrade feature is not enabled.

When enabled, this setting ensures that clusters automatically apply minor engine upgrades, which may include new features, performance enhancements, bug fixes, and security patches released by AWS.

Rationale

Enabling auto minor version upgrades reduces manual operational effort and helps ensure that ElastiCache clusters remain secure, stable, and performant. It also minimizes the risk of exposure to known vulnerabilities and software defects.

Impact

If auto minor version upgrades are not enabled, clusters may continue running outdated software versions. This increases the risk of security vulnerabilities, performance degradation, and compatibility issues.

Enabling this feature may require a scheduled maintenance window. During the upgrade, the cluster can experience a brief service interruption. For multi-node clusters, ElastiCache performs rolling upgrades to minimize downtime.

Audit

... see more

Remediation

Open File

Remediation

Enable Auto Minor Version Upgrade

From Command Line

aws elasticache modify-cache-cluster \
    --cache-cluster-id {{cluster-id}} \
    --auto-minor-version-upgrade

The --apply-immediately flag applies the change immediately; omit it to apply during the next maintenance window.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled			1		no data
💼 AWS Well-Architected → 💼 OPS05-BP05 Perform patch management			4		no data
💼 Cloudaware Framework → 💼 Infrastructure Modernization			21		no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2	7	23		no data
💼 FedRAMP High Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)			8		no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)			23		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2		23		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2(2) Automated Flaw Remediation Status (M)(H)			8		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2 Flaw Remediation	6	6	20		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status		1	8		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(4) Flaw Remediation _ Automated Patch Management Tools			8		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates		2	8		no data
💼 PCI DSS v3.2.1 → 💼 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.			6		no data
💼 PCI DSS v4.0.1 → 💼 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates			6		no data
💼 PCI DSS v4.0 → 💼 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates			6		no data