🛡️ AWS ElastiCache Redis Cluster automatic backups are not enabled🟢

• Contextual name: 🛡️ Redis Cluster automatic backups are not enabled🟢
• ID: /ce/ca/aws/elasticache/redis-cluster-automatic-backup
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS ElastiCache Cluster
  • 🔌 AWS ElastiCache Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [ElastiCache.1] ElastiCache (Valkey and Redis OSS) clusters should have automatic backups enabled

Description

Open File

Description

This policy identifies AWS ElastiCache Clusters for Redis OSS and Valkey that do not have automatic backups enabled. Automatic backups are considered enabled when the snapshot retention period is set to a value greater than zero.

Rationale

Enabling automatic backups allows ElastiCache to create daily snapshots of your Redis or Valkey cluster and retain them for a defined period. These snapshots can be used to restore the cluster to a known good state in the event of data corruption, accidental deletion, or cluster failure, significantly reducing data loss and downtime.

Impact

Enabling automatic backups may slightly increase storage costs and can introduce brief latency during snapshot creation.

Audit

This policy flags an AWS ElastiCache Cluster for Redis as INCOMPLIANT if Snapshot Retention Limit is set to 0.

ElastiCache Clusters for Memcached are marked as INAPPLICABLE.

Remediation

Open File

Remediation

Enable Automatic Backups

From Command Line

For a Redis cluster with cluster mode enabled (Replication Group):

aws elasticache modify-replication-group \
    --replication-group-id {{replication-group-id}} \
    --snapshot-retention-limit {{7}} \
    --apply-immediately

For a Redis cluster with cluster mode disabled (Single Node or Non-Clustered):

aws elasticache modify-cache-cluster \
    --cache-cluster-id {{cache-cluster-id}} \
    --snapshot-retention-limit {{7}} \
    --apply-immediately

Adjust the --snapshot-retention-limit value to meet your organization’s backup retention policy.

Using --apply-immediately applies changes immediately; omit it to defer the change until the next maintenance window.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.1] ElastiCache (Valkey and Redis OSS) clusters should have automatic backups enabled			1		no data
💼 AWS Well-Architected → 💼 REL09-BP03 Perform data backup automatically			3		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			18		no data
💼 FedRAMP High Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	3		12		no data
💼 FedRAMP High Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			3		no data
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)			12		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	10		no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		12		no data
💼 FedRAMP High Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			5		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			9		no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			12		no data
💼 FedRAMP Low Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			5		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	2		3		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			3		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		10		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		12		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			5		no data
💼 NIST CSF v2.0 → 💼 ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained			5		no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			25		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			12		no data
💼 NIST CSF v2.0 → 💼 PR.IR-04: Adequate resource capacity to ensure availability is maintained			3		no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			12		no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			12		no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			6		no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6 Alternate Storage Site	3		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(1) Alternate Storage Site _ Separation from Primary Site			3		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		7		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			11		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention	3		5		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			11		no data