@turbot/aws-elasticache

The aws-elasticache mod contains resource, control and policy definitions for AWS ElastiCache service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for ElastiCache:

Permission	Grant Level	Help
cloudwatch:DescribeAlarms	Metadata	Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
cloudwatch:GetMetricStatistics	Metadata	Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
ec2:DescribeAccountAttributes	Metadata	Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
ec2:DescribeAvailabilityZones	Metadata	Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
ec2:DescribeSecurityGroups	Metadata	Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
ec2:DescribeVpcs	Metadata	Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
elasticache:AddTagsToResource	Operator	Operators can manage tags and reboot the cluster.
elasticache:AuthorizeCacheSecurityGroupIngress	Admin	"Administrators can manage network ingress to a cache security group. Applications using ElastiCache must be running on Amazon EC2
elasticache:BatchApplyUpdateAction	Admin
elasticache:BatchStopUpdateAction	Admin
elasticache:CompleteMigration	Admin
elasticache:CopySnapshot	Operator	"Operators can create snapshots
elasticache:CreateCacheCluster	Admin
elasticache:CreateCacheParameterGroup	Admin
elasticache:CreateCacheSecurityGroup	Admin	Cache security groups are only used when you are creating a cluster outside of an Amazon Virtual Private Cloud (Amazon VPC).
elasticache:CreateCacheSubnetGroup	Admin	"Administrators can manage custom subnet groups. Turbot managed subnet groups cannot be automatically protected
elasticache:CreateGlobalReplicationGroup	Admin
elasticache:CreateReplicationGroup	Admin
elasticache:CreateSnapshot	Operator	"Operators can create snapshots
elasticache:CreateUser	Admin
elasticache:CreateUserGroup	Admin
elasticache:DecreaseNodeGroupsInGlobalReplicationGroup	Operator
elasticache:DecreaseReplicaCount	Operator	Operators can decrease AmazonElastiCache replica count.
elasticache:DeleteCacheCluster	Admin
elasticache:DeleteCacheParameterGroup	Admin
elasticache:DeleteCacheSecurityGroup	Admin
elasticache:DeleteCacheSubnetGroup	Admin	"Administrators can manage custom subnet groups. Turbot managed subnet groups cannot be automatically protected
elasticache:DeleteGlobalReplicationGroup	Admin
elasticache:DeleteReplicationGroup	Admin
elasticache:DeleteSnapshot	Admin	"Operators can create snapshots
elasticache:DeleteUser	Admin
elasticache:DeleteUserGroup	Admin
elasticache:DescribeCacheClusters	Metadata	"Metadata about the cache instance
elasticache:DescribeCacheEngineVersions	Metadata	"Metadata about the cache instance
elasticache:DescribeCacheParameterGroups	Metadata	"Metadata about the cache instance
elasticache:DescribeCacheParameters	Metadata	"Metadata about the cache instance
elasticache:DescribeCacheSecurityGroups	Metadata	"Metadata about the cache instance
elasticache:DescribeCacheSubnetGroups	Metadata	"Metadata about the cache instance
elasticache:DescribeEngineDefaultParameters	Metadata	"Metadata about the cache instance
elasticache:DescribeEvents	Metadata	"Metadata about the cache instance
elasticache:DescribeGlobalReplicationGroups	Metadata
elasticache:DescribeReplicationGroups	Metadata	"Metadata about the cache instance
elasticache:DescribeReservedCacheNodes	Metadata	"Metadata about the cache instance
elasticache:DescribeReservedCacheNodesOfferings	Metadata	"Metadata about the cache instance
elasticache:DescribeServiceUpdates	Metadata
elasticache:DescribeSnapshots	Metadata
elasticache:DescribeUpdateActions	Metadata
elasticache:DescribeUserGroups	Metadata
elasticache:DescribeUsers	Metadata
elasticache:DisassociateGlobalReplicationGroup	Admin
elasticache:FailoverGlobalReplicationGroup	Admin
elasticache:IncreaseNodeGroupsInGlobalReplicationGroup	Operator
elasticache:IncreaseReplicaCount	Operator	Operators can increase AmazonElastiCache replica count.
elasticache:ListAllowedNodeTypeModifications	Metadata
elasticache:ListTagsForResource	Metadata
elasticache:ModifyCacheCluster	Admin
elasticache:ModifyCacheParameterGroup	Admin
elasticache:ModifyCacheSubnetGroup	Admin	"Administrators can manage custom subnet groups. Turbot managed subnet groups cannot be automatically protected
elasticache:ModifyGlobalReplicationGroup	Admin
elasticache:ModifyUser	Admin
elasticache:ModifyUserGroup	Admin
elasticache:ModifyReplicationGroup	Admin
elasticache:ModifyReplicationGroupShardConfiguration	Admin
elasticache:PurchaseReservedCacheNodesOffering	Owner	Reserved instances can only be purchased by owners.
elasticache:RebalanceSlotsInGlobalReplicationGroup	Operator
elasticache:RebootCacheCluster	Operator	Operators can manage tags and reboot the cluster.
elasticache:RemoveTagsFromResource	Operator	Operators can manage tags and reboot the cluster.
elasticache:ResetCacheParameterGroup	Admin
elasticache:RevokeCacheSecurityGroupIngress	Admin	Revokes ingress from a cache security group. Use this operation to disallow access from an Amazon EC2 security group that had been previously authorized.
elasticache:StartMigration	Admin
elasticache:TestFailover	Operator
sns:ListSubscriptions	Metadata	Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
sns:ListTopics	Metadata	Required for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html

Learn More About Guardrails

Recommended Version

Version

5.8.0

Released On

Sep 26, 2023

Depends On

@turbot/aws ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0

Resource Types

Control Types

Policy Types

Release Notes

5.8.0 (2023-09-26)

What's new?

README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

Control Types

Added

AWS > ElastiCache > Replication Group > Backup

Policy Types

Added

AWS > ElastiCache > Replication Group > Backup
AWS > ElastiCache > Replication Group > Backup > Retention Period
AWS > ElastiCache > Replication Group > Backup > Window

Action Types

Added

AWS > ElastiCache > Cache Cluster > Skip alarm for approved control
AWS > ElastiCache > Cache Cluster > Skip alarm for approved control [90 days]
AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control
AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control [90 days]
AWS > ElastiCache > Replication Group > Skip alarm for approved control
AWS > ElastiCache > Replication Group > Skip alarm for approved control [90 days]
AWS > ElastiCache > Replication Group > Update Backup
AWS > ElastiCache > Snapshot > Skip alarm for approved control
AWS > ElastiCache > Snapshot > Skip alarm for approved control [90 days]

5.7.0 (2022-02-16)

What's new?

Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

Policy Types

Added

AWS > ElastiCache > Cache Cluster > Approved > Custom
AWS > ElastiCache > Cache Parameter Group > Approved > Custom
AWS > ElastiCache > Replication Group > Approved > Custom
AWS > ElastiCache > Snapshot > Approved > Custom

5.6.0 (2022-01-10)

What's new?

AWS/ElastiCache/Admin AWS/ElastiCache/Operator and AWS/ElastiCache/Metadata now include permissions for Global Replication Group, User, User Group and Migration.
We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.5.0 (2021-06-25)

What's new?

AWS/ElastiCache/Admin now includes batch update permissions.

5.4.4 (2021-01-31)

Bug fixes

Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.4.3 (2020-11-06)

Bug fixes

The AWS > ElastiCache > Cache Parameter Group > CMDB control would still remain in error for a few default cache parameter groups belonging to Redis6.0, which were upserted incorrectly. Such resources will now be removed from the Turbot console and the control will now work smoothly.

5.4.2 (2020-10-30)

Bug fixes

The AWS > ElastiCache > Cache Parameter Group > CMDB control would go into an error state for default cache parameter groups belonging to Redis6.0, which were upserted incorrectly. Such resources will now be removed and the AWS > ElastiCache > Cache Parameter Group > CMDB control will work as expected.

5.4.1 (2020-09-17)

Bug fixes

We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.

5.4.0 (2020-09-02)

What's new?

Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.
We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

5.3.2 (2020-08-14)

Bug fixes

In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

5.3.1 (2020-07-08)

Bug fixes

Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.3.0 (2020-06-01)

Policy Types

Added

AWS > ElastiCache > Cache Cluster > Active > Budget
AWS > ElastiCache > Cache Cluster > Approved > Budget

Renamed

AWS > ElastiCache > Cache Cluster > Approved > Cache Cluster Engines to AWS > ElastiCache > Cache Cluster > Approved > Engines
AWS > ElastiCache > Cache Cluster > Configured > Precedence to AWS > ElastiCache > Cache Cluster > Configured > Claim Precedence
AWS > ElastiCache > Cache Parameter Group > Configured > Precedence to AWS > ElastiCache > Cache Parameter Group > Configured > Claim Precedence
AWS > ElastiCache > Replication Group > Configured > Precedence to AWS > ElastiCache > Replication Group > Configured > Claim Precedence

Removed

AWS > ElastiCache > Cache Cluster > Active > Status
AWS > ElastiCache > Snapshot > Active > Status

5.2.0 (2020-04-23)

Bug fixes

Approved and Active controls for Replication Groups are now equipped with an auto-retry mechanism to wait for the resources to be in Available state before deleting them.

Policy Types

Added

AWS > ElastiCache > Tags Template [Default]