@turbot/aws-elasticache
The aws-elasticache mod contains resource, control and policy definitions for AWS ElastiCache service.
Resource Types
Resource types covered by this mod:
- AWS > ElastiCache
- AWS > ElastiCache > Cache Cluster
- AWS > ElastiCache > Cache Parameter Group
- AWS > ElastiCache > Replication Group
- AWS > ElastiCache > Snapshot
Permissions
Taking a look at permissions and associated grant levels for each permission for ElastiCache:
Permission | Grant Level | Help |
---|---|---|
cloudwatch:DescribeAlarms | Metadata | Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html |
cloudwatch:GetMetricStatistics | Metadata | Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html |
ec2:DescribeAccountAttributes | Metadata | Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html |
ec2:DescribeAvailabilityZones | Metadata | Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html |
ec2:DescribeSecurityGroups | Metadata | Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html |
ec2:DescribeVpcs | Metadata | Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html |
elasticache:AddTagsToResource | Operator | Operators can manage tags and reboot the cluster. |
elasticache:AuthorizeCacheSecurityGroupIngress | Admin | "Administrators can manage network ingress to a cache security group. Applications using ElastiCache must be running on Amazon EC2 |
elasticache:BatchApplyUpdateAction | Admin | |
elasticache:BatchStopUpdateAction | Admin | |
elasticache:CompleteMigration | Admin | |
elasticache:CopySnapshot | Operator | "Operators can create snapshots |
elasticache:CreateCacheCluster | Admin | |
elasticache:CreateCacheParameterGroup | Admin | |
elasticache:CreateCacheSecurityGroup | Admin | Cache security groups are only used when you are creating a cluster outside of an Amazon Virtual Private Cloud (Amazon VPC). |
elasticache:CreateCacheSubnetGroup | Admin | "Administrators can manage custom subnet groups. Turbot managed subnet groups cannot be automatically protected |
elasticache:CreateGlobalReplicationGroup | Admin | |
elasticache:CreateReplicationGroup | Admin | |
elasticache:CreateSnapshot | Operator | "Operators can create snapshots |
elasticache:CreateUser | Admin | |
elasticache:CreateUserGroup | Admin | |
elasticache:DecreaseNodeGroupsInGlobalReplicationGroup | Operator | |
elasticache:DecreaseReplicaCount | Operator | Operators can decrease AmazonElastiCache replica count. |
elasticache:DeleteCacheCluster | Admin | |
elasticache:DeleteCacheParameterGroup | Admin | |
elasticache:DeleteCacheSecurityGroup | Admin | |
elasticache:DeleteCacheSubnetGroup | Admin | "Administrators can manage custom subnet groups. Turbot managed subnet groups cannot be automatically protected |
elasticache:DeleteGlobalReplicationGroup | Admin | |
elasticache:DeleteReplicationGroup | Admin | |
elasticache:DeleteSnapshot | Admin | "Operators can create snapshots |
elasticache:DeleteUser | Admin | |
elasticache:DeleteUserGroup | Admin | |
elasticache:DescribeCacheClusters | Metadata | "Metadata about the cache instance |
elasticache:DescribeCacheEngineVersions | Metadata | "Metadata about the cache instance |
elasticache:DescribeCacheParameterGroups | Metadata | "Metadata about the cache instance |
elasticache:DescribeCacheParameters | Metadata | "Metadata about the cache instance |
elasticache:DescribeCacheSecurityGroups | Metadata | "Metadata about the cache instance |
elasticache:DescribeCacheSubnetGroups | Metadata | "Metadata about the cache instance |
elasticache:DescribeEngineDefaultParameters | Metadata | "Metadata about the cache instance |
elasticache:DescribeEvents | Metadata | "Metadata about the cache instance |
elasticache:DescribeGlobalReplicationGroups | Metadata | |
elasticache:DescribeReplicationGroups | Metadata | "Metadata about the cache instance |
elasticache:DescribeReservedCacheNodes | Metadata | "Metadata about the cache instance |
elasticache:DescribeReservedCacheNodesOfferings | Metadata | "Metadata about the cache instance |
elasticache:DescribeServiceUpdates | Metadata | |
elasticache:DescribeSnapshots | Metadata | |
elasticache:DescribeUpdateActions | Metadata | |
elasticache:DescribeUserGroups | Metadata | |
elasticache:DescribeUsers | Metadata | |
elasticache:DisassociateGlobalReplicationGroup | Admin | |
elasticache:FailoverGlobalReplicationGroup | Admin | |
elasticache:IncreaseNodeGroupsInGlobalReplicationGroup | Operator | |
elasticache:IncreaseReplicaCount | Operator | Operators can increase AmazonElastiCache replica count. |
elasticache:ListAllowedNodeTypeModifications | Metadata | |
elasticache:ListTagsForResource | Metadata | |
elasticache:ModifyCacheCluster | Admin | |
elasticache:ModifyCacheParameterGroup | Admin | |
elasticache:ModifyCacheSubnetGroup | Admin | "Administrators can manage custom subnet groups. Turbot managed subnet groups cannot be automatically protected |
elasticache:ModifyGlobalReplicationGroup | Admin | |
elasticache:ModifyUser | Admin | |
elasticache:ModifyUserGroup | Admin | |
elasticache:ModifyReplicationGroup | Admin | |
elasticache:ModifyReplicationGroupShardConfiguration | Admin | |
elasticache:PurchaseReservedCacheNodesOffering | Owner | Reserved instances can only be purchased by owners. |
elasticache:RebalanceSlotsInGlobalReplicationGroup | Operator | |
elasticache:RebootCacheCluster | Operator | Operators can manage tags and reboot the cluster. |
elasticache:RemoveTagsFromResource | Operator | Operators can manage tags and reboot the cluster. |
elasticache:ResetCacheParameterGroup | Admin | |
elasticache:RevokeCacheSecurityGroupIngress | Admin | Revokes ingress from a cache security group. Use this operation to disallow access from an Amazon EC2 security group that had been previously authorized. |
elasticache:StartMigration | Admin | |
elasticache:TestFailover | Operator | |
sns:ListSubscriptions | Metadata | Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html |
sns:ListTopics | Metadata | Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html |
Learn More About Guardrails
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
Version
5.8.0
Released On
Sep 26, 2023
Depends On
Resource Types
- AWS > ElastiCache
- AWS > ElastiCache > Cache Cluster
- AWS > ElastiCache > Cache Parameter Group
- AWS > ElastiCache > Replication Group
- AWS > ElastiCache > Snapshot
Control Types
- AWS > ElastiCache > Cache Cluster > Active
- AWS > ElastiCache > Cache Cluster > Approved
- AWS > ElastiCache > Cache Cluster > CMDB
- AWS > ElastiCache > Cache Cluster > Configured
- AWS > ElastiCache > Cache Cluster > Discovery
- AWS > ElastiCache > Cache Cluster > Tags
- AWS > ElastiCache > Cache Cluster > Usage
- AWS > ElastiCache > Cache Parameter Group > Active
- AWS > ElastiCache > Cache Parameter Group > Approved
- AWS > ElastiCache > Cache Parameter Group > CMDB
- AWS > ElastiCache > Cache Parameter Group > Configured
- AWS > ElastiCache > Cache Parameter Group > Discovery
- AWS > ElastiCache > Cache Parameter Group > Usage
- AWS > ElastiCache > Replication Group > Active
- AWS > ElastiCache > Replication Group > Approved
- AWS > ElastiCache > Replication Group > Backup
- AWS > ElastiCache > Replication Group > CMDB
- AWS > ElastiCache > Replication Group > Configured
- AWS > ElastiCache > Replication Group > Discovery
- AWS > ElastiCache > Snapshot > Active
- AWS > ElastiCache > Snapshot > Approved
- AWS > ElastiCache > Snapshot > CMDB
- AWS > ElastiCache > Snapshot > Discovery
- AWS > ElastiCache > Snapshot > Tags
- AWS > ElastiCache > Snapshot > Usage
Policy Types
- AWS > ElastiCache > API Enabled
- AWS > ElastiCache > Approved Regions [Default]
- AWS > ElastiCache > Cache Cluster > Active
- AWS > ElastiCache > Cache Cluster > Active > Age
- AWS > ElastiCache > Cache Cluster > Active > Budget
- AWS > ElastiCache > Cache Cluster > Active > Last Modified
- AWS > ElastiCache > Cache Cluster > Approved
- AWS > ElastiCache > Cache Cluster > Approved > Budget
- AWS > ElastiCache > Cache Cluster > Approved > Custom
- AWS > ElastiCache > Cache Cluster > Approved > Engines
- AWS > ElastiCache > Cache Cluster > Approved > Regions
- AWS > ElastiCache > Cache Cluster > Approved > Usage
- AWS > ElastiCache > Cache Cluster > CMDB
- AWS > ElastiCache > Cache Cluster > Configured
- AWS > ElastiCache > Cache Cluster > Configured > Claim Precedence
- AWS > ElastiCache > Cache Cluster > Configured > Source
- AWS > ElastiCache > Cache Cluster > Regions
- AWS > ElastiCache > Cache Cluster > Tags
- AWS > ElastiCache > Cache Cluster > Tags > Template
- AWS > ElastiCache > Cache Cluster > Usage
- AWS > ElastiCache > Cache Cluster > Usage > Limit
- AWS > ElastiCache > Cache Parameter Group > Active
- AWS > ElastiCache > Cache Parameter Group > Active > Age
- AWS > ElastiCache > Cache Parameter Group > Active > Last Modified
- AWS > ElastiCache > Cache Parameter Group > Approved
- AWS > ElastiCache > Cache Parameter Group > Approved > Custom
- AWS > ElastiCache > Cache Parameter Group > Approved > Regions
- AWS > ElastiCache > Cache Parameter Group > Approved > Usage
- AWS > ElastiCache > Cache Parameter Group > CMDB
- AWS > ElastiCache > Cache Parameter Group > Configured
- AWS > ElastiCache > Cache Parameter Group > Configured > Claim Precedence
- AWS > ElastiCache > Cache Parameter Group > Configured > Source
- AWS > ElastiCache > Cache Parameter Group > Regions
- AWS > ElastiCache > Cache Parameter Group > Usage
- AWS > ElastiCache > Cache Parameter Group > Usage > Limit
- AWS > ElastiCache > Enabled
- AWS > ElastiCache > Permissions
- AWS > ElastiCache > Permissions > Levels
- AWS > ElastiCache > Permissions > Levels > Modifiers
- AWS > ElastiCache > Permissions > Lockdown
- AWS > ElastiCache > Permissions > Lockdown > API Boundary
- AWS > ElastiCache > Regions
- AWS > ElastiCache > Replication Group > Active
- AWS > ElastiCache > Replication Group > Active > Age
- AWS > ElastiCache > Replication Group > Active > Last Modified
- AWS > ElastiCache > Replication Group > Approved
- AWS > ElastiCache > Replication Group > Approved > Custom
- AWS > ElastiCache > Replication Group > Approved > Regions
- AWS > ElastiCache > Replication Group > Approved > Usage
- AWS > ElastiCache > Replication Group > Backup
- AWS > ElastiCache > Replication Group > Backup > Retention Period
- AWS > ElastiCache > Replication Group > Backup > Window
- AWS > ElastiCache > Replication Group > CMDB
- AWS > ElastiCache > Replication Group > Configured
- AWS > ElastiCache > Replication Group > Configured > Claim Precedence
- AWS > ElastiCache > Replication Group > Configured > Source
- AWS > ElastiCache > Replication Group > Regions
- AWS > ElastiCache > Snapshot > Active
- AWS > ElastiCache > Snapshot > Active > Age
- AWS > ElastiCache > Snapshot > Active > Last Modified
- AWS > ElastiCache > Snapshot > Approved
- AWS > ElastiCache > Snapshot > Approved > Custom
- AWS > ElastiCache > Snapshot > Approved > Regions
- AWS > ElastiCache > Snapshot > Approved > Usage
- AWS > ElastiCache > Snapshot > CMDB
- AWS > ElastiCache > Snapshot > Regions
- AWS > ElastiCache > Snapshot > Tags
- AWS > ElastiCache > Snapshot > Tags > Template
- AWS > ElastiCache > Snapshot > Usage
- AWS > ElastiCache > Snapshot > Usage > Limit
- AWS > ElastiCache > Tags Template [Default]
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-elasticache
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-elasticache
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-elasticache
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-elasticache
Release Notes
5.8.0 (2023-09-26)
What's new?
- README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
Control Types
Added
- AWS > ElastiCache > Replication Group > Backup
Policy Types
Added
- AWS > ElastiCache > Replication Group > Backup
- AWS > ElastiCache > Replication Group > Backup > Retention Period
- AWS > ElastiCache > Replication Group > Backup > Window
Action Types
Added
- AWS > ElastiCache > Cache Cluster > Skip alarm for approved control
- AWS > ElastiCache > Cache Cluster > Skip alarm for approved control [90 days]
- AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control
- AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control [90 days]
- AWS > ElastiCache > Replication Group > Skip alarm for approved control
- AWS > ElastiCache > Replication Group > Skip alarm for approved control [90 days]
- AWS > ElastiCache > Replication Group > Update Backup
- AWS > ElastiCache > Snapshot > Skip alarm for approved control
- AWS > ElastiCache > Snapshot > Skip alarm for approved control [90 days]
5.7.0 (2022-02-16)
What's new?
- Users can now create their own custom checks against resource attributes in the Approved control using the
Approved > Custom
policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.
Bug fixes
- We've improved the process of deleting resources from Turbot if their CMDB policy was set to
Enforce: Disabled
. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.
Policy Types
Added
- AWS > ElastiCache > Cache Cluster > Approved > Custom
- AWS > ElastiCache > Cache Parameter Group > Approved > Custom
- AWS > ElastiCache > Replication Group > Approved > Custom
- AWS > ElastiCache > Snapshot > Approved > Custom
5.6.0 (2022-01-10)
What's new?
AWS/ElastiCache/Admin
AWS/ElastiCache/Operator
andAWS/ElastiCache/Metadata
now include permissions for Global Replication Group, User, User Group and Migration.- We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
5.5.0 (2021-06-25)
What's new?
AWS/ElastiCache/Admin
now includes batch update permissions.
5.4.4 (2021-01-31)
Bug fixes
- Controls run faster now when in the
tbd
andskipped
states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when intbd
andskipped
, resulting in faster and lighter control runs.
5.4.3 (2020-11-06)
Bug fixes
- The
AWS > ElastiCache > Cache Parameter Group > CMDB
control would still remain in error for a few default cache parameter groups belonging toRedis6.0
, which were upserted incorrectly. Such resources will now be removed from the Turbot console and the control will now work smoothly.
5.4.2 (2020-10-30)
Bug fixes
- The
AWS > ElastiCache > Cache Parameter Group > CMDB
control would go into anerror
state for default cache parameter groups belonging toRedis6.0
, which were upserted incorrectly. Such resources will now be removed and theAWS > ElastiCache > Cache Parameter Group > CMDB
control will work as expected.
5.4.1 (2020-09-17)
Bug fixes
- We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.
5.4.0 (2020-09-02)
What's new?
- Discovery controls now have their own control category,
CMDB > Discovery
, to allow for easier filtering separately from other CMDB controls. - We've renamed the service's default regions policy from
Regions [Default]
toRegions
to be consistent with our other regions policies.
5.3.2 (2020-08-14)
Bug fixes
- In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.
5.3.1 (2020-07-08)
Bug fixes
- Sometimes when updating CMDB for resources with tags that have empty string values, e.g.,
[{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}]
, we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.
5.3.0 (2020-06-01)
Policy Types
Added
- AWS > ElastiCache > Cache Cluster > Active > Budget
- AWS > ElastiCache > Cache Cluster > Approved > Budget
Renamed
- AWS > ElastiCache > Cache Cluster > Approved > Cache Cluster Engines to AWS > ElastiCache > Cache Cluster > Approved > Engines
- AWS > ElastiCache > Cache Cluster > Configured > Precedence to AWS > ElastiCache > Cache Cluster > Configured > Claim Precedence
- AWS > ElastiCache > Cache Parameter Group > Configured > Precedence to AWS > ElastiCache > Cache Parameter Group > Configured > Claim Precedence
- AWS > ElastiCache > Replication Group > Configured > Precedence to AWS > ElastiCache > Replication Group > Configured > Claim Precedence
Removed
- AWS > ElastiCache > Cache Cluster > Active > Status
- AWS > ElastiCache > Snapshot > Active > Status
5.2.0 (2020-04-23)
Bug fixes
- Approved and Active controls for Replication Groups are now equipped with an auto-retry mechanism to wait for the resources to be in
Available
state before deleting them.
Policy Types
Added
- AWS > ElastiCache > Tags Template [Default]