Terraform AWS Elasticache
Redis or Memcached clusters and replication groups with subnet groups, security groups, transit and at rest encryption, auth tokens, parameter groups, and automatic failover.
Controls Enforced
The following compliance controls are enforced by this module at terraform plan time.
- ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater low effort
- ElastiCache for Redis replication groups should have automatic failover enabled low effort
- ElastiCache for Redis replication groups should be encrypted at rest low effort
- ElastiCache for Redis replication groups should be encrypted with CMK low effort
- ElastiCache for Redis replication groups should be encrypted in transit low effort
- ElastiCache for Redis replication groups before version 6.0 should use Redis Auth low effort
Quick Start
module "elasticache" {
source = "acscessentialeight.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "acscism2023.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "awscontroltower.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "awsgenai.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "awswellarchitected.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "cccsmedium.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "cfrpart11.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "cisv140.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "cisv500.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "cis.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "cisv80ig1.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "eugmpannex11.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "fedramplow.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "fedrampmoderate.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "ffiec.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "gdpr.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "hipaa.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "iso27001.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "nis2.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "nist800171.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "nist80053.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "nistcsf.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "nydfs23.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "pcidss.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
module "elasticache" {
source = "soc2.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "<version>"
# ... your arguments here
}
See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.
Migration from Upstream
Already using terraform-aws-modules? Change only the source URL:
module "elasticache" {
source = "terraform-aws-modules/elasticache/aws"
version = "1.0"
}
module "elasticache" {
source = "soc2.compliance.tf/terraform-aws-modules/elasticache/aws"
version = "1.0"
}
Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.
See the Migration Guide for step-by-step instructions.
Reversibility
No lock-in. Switch back by reverting the source URL to the upstream path:
module "elasticache" {
source = "terraform-aws-modules/elasticache/aws"
}
Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks
ACSC-EE-ML3-8.3: Regular backups ML3
11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records
11.4 Establish and Maintain an Isolated Instance of Recovery Data
Booting Up: Things to Do First-1
4.8 Validation - Data Transfer
Denial Of Service Protection (SC-5)
164.312(a)(2)(ii) Emergency access procedure
A.8.11 Data masking
- ElastiCache for Redis replication groups should be encrypted at rest
- ElastiCache for Redis replication groups should be encrypted with CMK
- ElastiCache for Redis replication groups should be encrypted in transit
A.8.14 Redundancy of information processing facilities
A.8.24 Use of cryptography
3 Incident handling
4 Business continuity and crisis management
9 Cryptography
ID.AM-08
PR.DS-1
- ElastiCache for Redis replication groups should be encrypted at rest
- ElastiCache for Redis replication groups should be encrypted with CMK
PR.DS-2
PR.IP-4
RC.RP-1
2.2.7: System components are configured and managed securely.
3.5.1: Primary account number (PAN) is secured wherever it is stored.
- ElastiCache for Redis replication groups should be encrypted at rest
- ElastiCache for Redis replication groups should be encrypted with CMK
4.2.1: PAN is protected with strong cryptography during transmission.
4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained
4.2.1.1: PAN is protected with strong cryptography during transmission.
8.3.2: Strong authentication for users and administrators is established and managed.
- ElastiCache for Redis replication groups should be encrypted at rest
- ElastiCache for Redis replication groups should be encrypted with CMK
- ElastiCache for Redis replication groups should be encrypted in transit
8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components
- ElastiCache for Redis replication groups should be encrypted at rest
- ElastiCache for Redis replication groups should be encrypted with CMK
- ElastiCache for Redis replication groups should be encrypted in transit
10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify
10.3.3: Audit logs are protected from destruction and unauthorized modifications.
8.IX Backup and Recovery
A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives
Framework Coverage
Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint
| Control | ISO/IEC 27001:2022 | NIST Cybersecurity Framework v2.0 | PCI DSS v4.0 | NIS2 Directive (EU 2022/2555) | SOC 2 | ACSC Essential Eight | Title 21 CFR Part 11 | CIS Controls v8.0 IG1 |
|---|---|---|---|---|---|---|---|---|
| ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater | ○ | ● | ● | ● | ● | ● | ● | ● |
| ElastiCache for Redis replication groups should have automatic failover enabled | ● | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| ElastiCache for Redis replication groups should be encrypted at rest | ● | ● | ● | ○ | ○ | ○ | ○ | ○ |
| ElastiCache for Redis replication groups should be encrypted with CMK | ● | ● | ● | ○ | ○ | ○ | ○ | ○ |
| ElastiCache for Redis replication groups should be encrypted in transit | ● | ● | ● | ● | ● | ○ | ○ | ○ |
| ElastiCache for Redis replication groups before version 6.0 should use Redis Auth | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
Showing top 8 frameworks by coverage. All framework endpoints →