@turbot/aws-elasticache

The aws-elasticache mod contains resource, control and policy definitions for AWS ElastiCache service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for ElastiCache:

PermissionGrant LevelHelp
cloudwatch:DescribeAlarmsMetadataRequired for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
cloudwatch:GetMetricStatisticsMetadataRequired for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
ec2:DescribeAccountAttributesMetadataRequired for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
ec2:DescribeAvailabilityZonesMetadataRequired for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
ec2:DescribeSecurityGroupsMetadataRequired for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
ec2:DescribeVpcsMetadataRequired for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
elasticache:AddTagsToResourceOperatorOperators can manage tags and reboot the cluster.
elasticache:AuthorizeCacheSecurityGroupIngressAdmin"Administrators can manage network ingress to a cache security group. Applications using ElastiCache must be running on Amazon EC2
elasticache:BatchApplyUpdateActionAdmin
elasticache:BatchStopUpdateActionAdmin
elasticache:CompleteMigrationAdmin
elasticache:CopySnapshotOperator"Operators can create snapshots
elasticache:CreateCacheClusterAdmin
elasticache:CreateCacheParameterGroupAdmin
elasticache:CreateCacheSecurityGroupAdminCache security groups are only used when you are creating a cluster outside of an Amazon Virtual Private Cloud (Amazon VPC).
elasticache:CreateCacheSubnetGroupAdmin"Administrators can manage custom subnet groups. Turbot managed subnet groups cannot be automatically protected
elasticache:CreateGlobalReplicationGroupAdmin
elasticache:CreateReplicationGroupAdmin
elasticache:CreateSnapshotOperator"Operators can create snapshots
elasticache:CreateUserAdmin
elasticache:CreateUserGroupAdmin
elasticache:DecreaseNodeGroupsInGlobalReplicationGroupOperator
elasticache:DecreaseReplicaCountOperatorOperators can decrease AmazonElastiCache replica count.
elasticache:DeleteCacheClusterAdmin
elasticache:DeleteCacheParameterGroupAdmin
elasticache:DeleteCacheSecurityGroupAdmin
elasticache:DeleteCacheSubnetGroupAdmin"Administrators can manage custom subnet groups. Turbot managed subnet groups cannot be automatically protected
elasticache:DeleteGlobalReplicationGroupAdmin
elasticache:DeleteReplicationGroupAdmin
elasticache:DeleteSnapshotAdmin"Operators can create snapshots
elasticache:DeleteUserAdmin
elasticache:DeleteUserGroupAdmin
elasticache:DescribeCacheClustersMetadata"Metadata about the cache instance
elasticache:DescribeCacheEngineVersionsMetadata"Metadata about the cache instance
elasticache:DescribeCacheParameterGroupsMetadata"Metadata about the cache instance
elasticache:DescribeCacheParametersMetadata"Metadata about the cache instance
elasticache:DescribeCacheSecurityGroupsMetadata"Metadata about the cache instance
elasticache:DescribeCacheSubnetGroupsMetadata"Metadata about the cache instance
elasticache:DescribeEngineDefaultParametersMetadata"Metadata about the cache instance
elasticache:DescribeEventsMetadata"Metadata about the cache instance
elasticache:DescribeGlobalReplicationGroupsMetadata
elasticache:DescribeReplicationGroupsMetadata"Metadata about the cache instance
elasticache:DescribeReservedCacheNodesMetadata"Metadata about the cache instance
elasticache:DescribeReservedCacheNodesOfferingsMetadata"Metadata about the cache instance
elasticache:DescribeServiceUpdatesMetadata
elasticache:DescribeSnapshotsMetadata
elasticache:DescribeUpdateActionsMetadata
elasticache:DescribeUserGroupsMetadata
elasticache:DescribeUsersMetadata
elasticache:DisassociateGlobalReplicationGroupAdmin
elasticache:FailoverGlobalReplicationGroupAdmin
elasticache:IncreaseNodeGroupsInGlobalReplicationGroupOperator
elasticache:IncreaseReplicaCountOperatorOperators can increase AmazonElastiCache replica count.
elasticache:ListAllowedNodeTypeModificationsMetadata
elasticache:ListTagsForResourceMetadata
elasticache:ModifyCacheClusterAdmin
elasticache:ModifyCacheParameterGroupAdmin
elasticache:ModifyCacheSubnetGroupAdmin"Administrators can manage custom subnet groups. Turbot managed subnet groups cannot be automatically protected
elasticache:ModifyGlobalReplicationGroupAdmin
elasticache:ModifyUserAdmin
elasticache:ModifyUserGroupAdmin
elasticache:ModifyReplicationGroupAdmin
elasticache:ModifyReplicationGroupShardConfigurationAdmin
elasticache:PurchaseReservedCacheNodesOfferingOwnerReserved instances can only be purchased by owners.
elasticache:RebalanceSlotsInGlobalReplicationGroupOperator
elasticache:RebootCacheClusterOperatorOperators can manage tags and reboot the cluster.
elasticache:RemoveTagsFromResourceOperatorOperators can manage tags and reboot the cluster.
elasticache:ResetCacheParameterGroupAdmin
elasticache:RevokeCacheSecurityGroupIngressAdminRevokes ingress from a cache security group. Use this operation to disallow access from an Amazon EC2 security group that had been previously authorized.
elasticache:StartMigrationAdmin
elasticache:TestFailoverOperator
sns:ListSubscriptionsMetadataRequired for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html
sns:ListTopicsMetadataRequired for console access per http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html

Learn More About Guardrails

Version
5.8.0
Released On
Sep 26, 2023
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.8.0 (2023-09-26)

What's new?

  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

Control Types

Added

  • AWS > ElastiCache > Replication Group > Backup

Policy Types

Added

  • AWS > ElastiCache > Replication Group > Backup
  • AWS > ElastiCache > Replication Group > Backup > Retention Period
  • AWS > ElastiCache > Replication Group > Backup > Window

Action Types

Added

  • AWS > ElastiCache > Cache Cluster > Skip alarm for approved control
  • AWS > ElastiCache > Cache Cluster > Skip alarm for approved control [90 days]
  • AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control
  • AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control [90 days]
  • AWS > ElastiCache > Replication Group > Skip alarm for approved control
  • AWS > ElastiCache > Replication Group > Skip alarm for approved control [90 days]
  • AWS > ElastiCache > Replication Group > Update Backup
  • AWS > ElastiCache > Snapshot > Skip alarm for approved control
  • AWS > ElastiCache > Snapshot > Skip alarm for approved control [90 days]

5.7.0 (2022-02-16)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

Policy Types

Added

  • AWS > ElastiCache > Cache Cluster > Approved > Custom
  • AWS > ElastiCache > Cache Parameter Group > Approved > Custom
  • AWS > ElastiCache > Replication Group > Approved > Custom
  • AWS > ElastiCache > Snapshot > Approved > Custom

5.6.0 (2022-01-10)

What's new?

  • AWS/ElastiCache/Admin AWS/ElastiCache/Operator and AWS/ElastiCache/Metadata now include permissions for Global Replication Group, User, User Group and Migration.
  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.5.0 (2021-06-25)

What's new?

  • AWS/ElastiCache/Admin now includes batch update permissions.

5.4.4 (2021-01-31)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.4.3 (2020-11-06)

Bug fixes

  • The AWS > ElastiCache > Cache Parameter Group > CMDB control would still remain in error for a few default cache parameter groups belonging to Redis6.0, which were upserted incorrectly. Such resources will now be removed from the Turbot console and the control will now work smoothly.

5.4.2 (2020-10-30)

Bug fixes

  • The AWS > ElastiCache > Cache Parameter Group > CMDB control would go into an error state for default cache parameter groups belonging to Redis6.0, which were upserted incorrectly. Such resources will now be removed and the AWS > ElastiCache > Cache Parameter Group > CMDB control will work as expected.

5.4.1 (2020-09-17)

Bug fixes

  • We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.

5.4.0 (2020-09-02)

What's new?

  • Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.
  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

5.3.2 (2020-08-14)

Bug fixes

  • In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

5.3.1 (2020-07-08)

Bug fixes

  • Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.3.0 (2020-06-01)

Policy Types

Added

  • AWS > ElastiCache > Cache Cluster > Active > Budget
  • AWS > ElastiCache > Cache Cluster > Approved > Budget

Renamed

  • AWS > ElastiCache > Cache Cluster > Approved > Cache Cluster Engines to AWS > ElastiCache > Cache Cluster > Approved > Engines
  • AWS > ElastiCache > Cache Cluster > Configured > Precedence to AWS > ElastiCache > Cache Cluster > Configured > Claim Precedence
  • AWS > ElastiCache > Cache Parameter Group > Configured > Precedence to AWS > ElastiCache > Cache Parameter Group > Configured > Claim Precedence
  • AWS > ElastiCache > Replication Group > Configured > Precedence to AWS > ElastiCache > Replication Group > Configured > Claim Precedence

Removed

  • AWS > ElastiCache > Cache Cluster > Active > Status
  • AWS > ElastiCache > Snapshot > Active > Status

5.2.0 (2020-04-23)

Bug fixes

  • Approved and Active controls for Replication Groups are now equipped with an auto-retry mechanism to wait for the resources to be in Available state before deleting them.

Policy Types

Added

  • AWS > ElastiCache > Tags Template [Default]