ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

Redis is often the primary store for session state, feature flags, rate-limiting counters, and application caches that are expensive to rebuild. Losing this data without a recent backup can cause cascading application failures or silent data corruption that only surfaces days later. A 15-day retention window gives operations teams enough runway to detect delayed issues, such as bad deployments or subtle data poisoning, and restore to a known-good state.

ElastiCache backups are incremental after the first full snapshot, so storage costs for a 15-day window are modest relative to the recovery insurance they provide.

Retrofit consideration

Enabling backups on a running cluster with no prior snapshots triggers a full initial backup, which can cause brief latency spikes on smaller node types during the snapshot window.

Implementation

Choose the approach that matches how you manage Terraform.

Compliance.tfOpen source moduleTerraform resources

Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.

SOC 2PCI DSS v4.0HIPAA Omnibus Rule 2013NIST SP 800-53 Rev 5NIST Cybersecurity Framework v2.0FedRAMP Moderate Baseline Rev 4CIS Controls v8.0 IG1NIST SP 800-171 Rev 2CISA Cyber EssentialsNYDFS Cybersecurity RegulationFFIEC Cybersecurity Assessment ToolACSC Essential EightEU GMP Annex 11Title 21 CFR Part 11RBI Cyber Security Framework for UCBsRBI IT Framework for NBFCsFedRAMP Low Baseline Rev 4HIPAA Security Rule 2003NIST Cybersecurity Framework v1.1NIST SP 800-53 Rev 4PCI DSS v3.2.1

module "elasticache" {
  source  = "soc2.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "hipaasecurity2003.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "nistcsfv11.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "nist80053rev4.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

module "elasticache" {
  source  = "pcidssv321.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

If you use terraform-aws-modules/elasticache/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "elasticache" {
  source  = "terraform-aws-modules/elasticache/aws"
  version = ">=1.0.0,<2.0.0"

  description          = "Redis cluster"
  engine               = "redis"
  engine_version       = "7.1"
  node_type            = "cache.t3.micro"
  num_cache_clusters   = 2
  replication_group_id = "abc123"
  subnet_ids           = ["subnet-12345678", "subnet-12345678"]
  vpc_id               = "vpc-12345678"
}

Use AWS provider resources directly. See docs for the resources involved: aws_elasticache_replication_group.

resource "aws_elasticache_replication_group" "this" {
  at_rest_encryption_enabled = true
  auth_token                 = "PofixExampleAuthToken32CharsLng"
  description                = "pofix example replication group"
  node_type                  = "cache.t3.micro"
  num_cache_clusters         = 2
  replication_group_id       = "pofix-abc123"
  snapshot_retention_limit   = 15
  subnet_group_name          = "example-subnet-group"
  transit_encryption_enabled = true
}

What this control checks

This control checks snapshot_retention_limit on aws_elasticache_replication_group, or on aws_elasticache_cluster where engine is "redis". The value must be 15 or higher. A value of 0 or an omitted argument disables automatic backups entirely and fails the control. Setting snapshot_window to a preferred UTC time range (e.g., "03:00-05:00") is advisable to avoid backup I/O during peak traffic, though the control only evaluates the retention limit. For replication groups, snapshot_retention_limit must be set on aws_elasticache_replication_group directly; the group-level setting takes precedence over anything set on member cluster resources.

Common pitfalls

Some small burstable node types have backup limitations
If snapshot_retention_limit is rejected by the API, the cluster's node type is the first thing to check. Automatic backup support can vary by engine mode, version, and node class, and very small burstable types have limitations in some configurations. Review current AWS documentation for supported node types and switch to a supported class for any environment that requires automated backups.
Replication group vs. standalone cluster confusion
When using aws_elasticache_replication_group, set snapshot_retention_limit on the replication group resource, not on any underlying aws_elasticache_cluster resources. Setting it on the cluster resource alone has no effect when the cluster belongs to a replication group. Terraform will not raise an error, but the backups will not be configured.
Default retention is 0 (disabled)
The default value of snapshot_retention_limit in both the AWS API and the Terraform provider is 0, meaning backups are off unless explicitly set. This is easy to miss in module abstractions where the argument is never surfaced. Omitting it produces an immediate control failure with no other indication that backups are disabled.
Snapshot and maintenance windows should be planned carefully
Get snapshot_window and preferred_maintenance_window wrong and you will see latency spikes during your busiest traffic periods. Both arguments accept UTC time ranges, and they cannot overlap. Set them deliberately relative to your traffic patterns, not just accept the defaults.

Audit evidence

Auditors expect AWS Config rule evaluation results showing all ElastiCache Redis clusters as COMPLIANT, or an equivalent report from a CSPM tool. Console screenshots of the ElastiCache cluster detail page showing Backup enabled with a retention period of 15 days or more are acceptable supplementary evidence. CloudTrail events for ModifyReplicationGroup or CreateReplicationGroup with the SnapshotRetentionLimit parameter show when the setting was applied and by whom.

For continuous assurance, provide a time-series export of AWS Config compliance status covering the audit period, proving the control remained enforced and was not temporarily relaxed.

Framework-specific interpretation

SOC 2: The CC7.5 availability criterion asks for evidence of backup and recovery capabilities. A 15-day retention window with documented snapshots is what availability-focused examiners ask to see during fieldwork.

PCI DSS v4.0: For card data environments using Redis for session or token storage, Requirement 12.10 expects you to restore affected systems following a security incident. Without retained backups, that restoration capability does not exist.

HIPAA Omnibus Rule 2013: 45 CFR 164.308(a)(7)(ii)(A) requires a data backup plan that creates and maintains retrievable exact copies of ePHI. Redis clusters storing PHI-adjacent session or token data may fall within scope depending on how your system boundary is drawn, so whether this control is required is a scoping question, not a technical one.

NIST SP 800-53 Rev 5: Both CP-9 (System Backup) and CP-10 (System Recovery and Reconstitution) apply here. CP-9 calls for backup mechanisms with organization-defined retention periods, and the 15-day threshold fits common parameter selections for moderate-impact systems. CP-10 expects actual restoration capability, which requires a snapshot to restore from in the first place.

NIST Cybersecurity Framework v2.0: Automated daily snapshots with a 15-day window feed directly into RC.RP recovery planning for anything stored in ElastiCache. PR.DS-1 is a secondary touch point if those snapshots are also encrypted at rest.

FedRAMP Moderate Baseline Rev 4: CP-9 at the Moderate baseline requires backups of system and user data at defined frequencies with defined retention. A 15-day window fits typical CP-9 parameter selections for moderate-impact data stores and supports the backup objectives that FedRAMP assessors evaluate.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: elasticache_redis_cluster_automatic_backup_retention_15_days
AWS Config Managed Rule: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
Checkov Check: CKV_AWS_134
Powerpipe Control: aws_compliance.control.elasticache_redis_cluster_automatic_backup_retention_15_days
Prowler Check: elasticache_redis_cluster_backup_enabled
AWS Security Hub Control: ElastiCache.1
KICS Query: 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab
Trivy Check: AWS-0050

Last reviewed: 2026-03-09