FSI Services Spotlight: Featuring Amazon ElastiCache

In this edition of the Financial Services Industry (FSI) Services Spotlight monthly series, we are focusing on Amazon ElastiCache. FSI customers need a streamlined service approval process to adopt AWS services. To address this need, this post highlights five key considerations for customers running their workloads on ElastiCache: achieving compliance, data protection, isolation of compute environments, audits with APIs, and access control/security. In each of these areas, we provide specific guidance, suggest reference architectures, and technical examples to help streamline the deployment of ElastiCache.

ElastiCache is a fully-managed, in-memory caching service which supports real-time use cases that require ultrafast performance and high throughput. It’s compatible with the popular open-source caching engines, Redis and Memcached. ElastiCache is typically used as a cache to speed up applications or to boost database performance. ElastiCache can be placed in front of Amazon DynamoDB, Amazon Relational Database Service (Amazon RDS), Amazon Aurora, and other databases. It’s used to improve read performance, handle increased traffic, increase throughput, and enhance database performance. All of this is done while optimizing for costs by offloading repetitive queries to the cache. This frees up the database to handle additional workloads.

ElastiCache can also serve as a primary data store for use cases that don’t require durability, such as session stores, leaderboards, streaming, and API rate limiting. ElastiCache provides a highly available and scalable caching solution that can automatically manage the distribution of cache nodes across multiple Availability Zones (AZs). You can add or remove cache capacity in real-time or set policies for scaling the customer automatically, and the service takes care of provisioning the necessary infrastructure. ElastiCache for Redis with Multi-AZ provides four nines of availability, which makes it compelling for mission-critical applications that want to use in-memory caches to accelerate your applications.

Redis is a fast, open-source, in-memory data store and cache that can be used to power high-performance use cases, such as web, mobile apps, gaming, ad-tech, and Internet-of-Things (IoT). ElastiCache for Redis is a Redis-compatible service that provides high availability, reliability, and performance, while being fully-managed, scalable, and secure. Users can choose to have a 500-node cluster that ranges between 83 shards (one primary and five replicas per shard) and 500 shards (single primary and no replicas), giving you up to 1 petabyte in storage with Data-tiering.

Memcached is a widely adopted memory object caching system that can speed up dynamic web applications by alleviating database load. ElastiCache for Memcached is a fully-managed, in-memory data store and cache that is compatible with the Memcached protocol. It’s designed for use cases that require low-latency data access, high throughput, and can scale both horizontally and vertically. The maximum number of nodes in an ElastiCache Memcached cluster is 40.

ElastiCache offers numerous advanced features which make sure of high availability, such as multi-AZ auto failover and global datastore with cross-region replication. With support for up to 500 nodes per cluster and a maximum database size of 1 Petabyte, ElastiCache can handle a large amount of read and write operations, with a peak of 100 million requests-per-second. It also supports various node types, including T2, M5, R5, M6g, R6g, M6gd, and R6gd, and it offers scheduled snapshot support for easy backup and recovery. Additionally, ElastiCache allows for both scale out/in (sharded configuration) and scale up/down (all configurations) to easily adapt to changing workloads.

Amazon ElastiCache Use Cases in the Financial Services Industry

Many customers worldwide are using ElastiCache to build cache systems. For example, CapitalOne migrated their mainframe workloads to DynamoDB and ElastiCache Redis to serve millions of transactions with an average response time in sub milliseconds. They achieved lower response times for end-to-end request processing and unrestricted scalability for application developers. JPMorgan Chase modernized its core risk management platform using Amazon RDS and ElastiCache. The platform utilizes flexible in-memory data-structures like sorted-sets and lists that are supported in ElastiCache for Redis to manage its advanced worker selection process and effectively handle the load from large compute grids. To perform complex operations on the data stored in the worker queues and to achieve faster data processing, the platform leverages multiple Lua scripts as it reduces network round trips. ElastiCache makes sure that only one worker can access the cache at a given time, providing an efficient single-threaded solution for maintaining data consistency. DBS Bank Ltd, a Singaporean multinational banking and financial services company, built a new pricing engine, Quant Pricing Engine (QPE), on AWS. They utilize AWS services like ElastiCache for Redis, which acts as a fast memory cache for data caching, and job and message queues. Near significantly improved the performance of its critical real-time bidding (RTB) platform by reducing latency by four times and achieving 99.9% uptime by migrating to ElastiCache.

Achieving compliance

Security and compliance are a shared responsibility model between AWS and the customer. With ElastiCache, the shared responsibility model between AWS and the customer helps make sure of the secure deployment of in-memory cache workloads. As ElastiCache is a managed service, customers are responsible for fewer controls to deploy secure in-memory workloads with Redis and Memcached workloads. AWS operates, manages, and protects the infrastructure for the ElastiCache service. This leaves the customer responsible for a smaller set of security controls. On the customer’s side of the shared responsibility model, the customer should first evaluate their network connectivity, encryption, and access to other AWS resources to determine the necessary security measures.

To further support the customer’s compliance efforts, ElastiCache Redis supports numerous features, including encryption at-rest and in-transit, VPC security groups, and AWS Identity and Access Management (IAM) policies. In addition, ElastiCache Redis supports Role-Based Access Control (RBAC) and simplifies password rotations with secret manager. With these features in place, customers can be confident that their cache workloads are secure and meet their compliance requirements. We will dive deeper into those topics in the upcoming sections.

ElastiCache falls under the scope of the following compliance programs listed here:

• SOC 1,2,3
• PCI
• IRAP Protected
• ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, and CSA STAR CCM v4.0
• OSPAR
• C5
• MTCS

Compliance reports for ElastiCache can be obtained under an AWS non-disclosure agreement (NDA) through the AWS Artifact portal. Note that the compliance status of ElastiCache doesn’t automatically extend to applications running in the AWS Cloud. Customers are responsible for making sure of compliance with standards, such as data protection and network connectivity, when using AWS services for their workloads. In the following sections, we cover topics on the customer side of the shared responsibility model.

ElastiCache data protection

Compliance regulations, such as PCI DSS, require encrypting data at rest throughout their lifecycle. To meet this requirement with ElastiCache for Redis, encryption can be enabled for both the cache data stored on disk and snapshots of cache clusters. ElastiCache for Redis supports encryption of cache data at rest using the industry-standard AES-256 encryption algorithm. You can use an AWS managed Customer Master Key (CMK) or create your own customer-managed CMKs. The encryption and decryption of your ElastiCache resources is managed through the AWS Key Management Service (AWS KMS). Enabling encryption can be done through the console, AWS Command Line Interface (AWS CLI), or API.

ElastiCache for Redis allows for automatically creating daily snapshots of the cache cluster. Snapshots can be used to restore data in the event of a failure or data loss. For versions 3.2.6 and 4.0.10 and later, snapshots of cache clusters for ElastiCache for Redis can also be encrypted. When encryption is enabled at the cluster level, any snapshots taken of that cache cluster will be encrypted using the same AWS KMS key. Customers can copy snapshots between regions and/or accounts for additional protection in the case of account exposure.

Encryption in transit for ElastiCache is accomplished through Transport Layer Security (TLS). This makes sure that data transmitted between the cache and your clients is encrypted over the network. You can configure encryption in transit by following the respective instructions for Redis and Memcached. To enable encryption in-transit, you must use ElastiCache for Memcached 1.6.12 or later, or ElastiCache for Redis 3.2.6, 4.0.10 and later. It’s recommended to enable encryption in transit when creating a cluster.

ElastiCache for Redis with the Multi-AZ option lets you bootstrap cache clusters that are distributed across multiple AZs and provide automatic failover in the event of node failures or an outage. Additionally, it also supports global datastore functionality, letting you replicate data across multiple regions for low-latency reads and disaster recovery across regions.

ElastiCache for Redis supports both IAM policies and RBAC. Using IAM policies, you can specify which AWS users and/or roles have access to your ElastiCache resources and what actions they can perform. This lets you control and monitor user access to your Redis clusters, making sure that only authorized personnel have access to sensitive data. ElastiCache for Redis supports the usage of authentication tokens or passwords to require a password before letting clients run commands. Additionally, you can use Amazon CloudWatch to monitor and AWS CloudTrail to audit user actions and track changes to your ElastiCache resources.

ElastiCache offers a robust solution for customers looking to secure their cache systems, with the ability to deploy on-premises using AWS Outposts. This added layer of deployment option provides a higher level of security and data residency, as the cache cluster can be isolated from the public Internet. In addition, ElastiCache integrates with CloudWatch, letting you monitor the health and performance of your cache cluster in real-time. With access to CloudWatch metrics and alarms, you can quickly identify any potential issues and set up alarms to alert you to these incidents, making sure of maximum uptime and optimal performance for your cache system.

Isolation of compute environments

ElastiCache servers can only be deployed within Amazon Virtual Private Clouds (Amazon VPCs), which offer a high level of network isolation and security. To control inbound and outbound traffic to and from ElastiCache servers in the VPC, you can utilize security groups and network access control lists (ACLs).

For complete resource isolation, you can create private subnets without access to the Internet and use AWS PrivateLink with ElastiCache in your VPC. With an interface VPC endpoint, you can privately access the ElastiCache APIs from applications inside of your VPC without exposing traffic to the public Internet and securing your traffic. Additionally, instances in your VPC don’t need public IP addresses to communicate with ElastiCache API endpoints.

Fine-grained access controls to ElastiCache APIs can be set up using VPC endpoint policies. You can specify IAM policies that determine who can access ElastiCache APIs and what actions they can perform. For example, allowing only specific IAM users or roles to access an ElastiCache API, such as modify cache clusters or create snapshots. This lets you make sure that only authorized personnel can access and make changes to your ElastiCache resources.

Automating audits with APIs for ElastiCache

AWS Config monitors the configuration of resources and provides some out-of-the-box rules to alert when resources fall into a non-compliant state. An out-of-the-box managed rule for ElastiCache Redis Clusters can be applied to make sure of data protection by having automatic backup turned on by using the “elasticache-redis-cluster-automatic-backup-check” rule. This rule is COMPLIANT when ElastiCache Redis Clusters have a SnapshotRetentionLimit that is greater than the SnapshotRetentionPeriod. Alerts can be delivered via Amazon Simple Notification Service (Amazon SNS), which is a resource that is determined to be non-compliant. AWS Config also includes automatic remediation capabilities with AWS Config rules. The automatic remediation feature gives you the ability to associate remediation actions with AWS Config rules and the ability to execute them automatically to address non-compliant resources without manual intervention. There are no managed AWS Config rules for ElastiCache Memcached Clusters.

Besides the managed Config rules, customers can build custom Config rules using API calls related to ElastiCache recorded by CloudTrail. CloudTrail is an AWS service that helps customers enable governance, compliance, and operational and risk auditing of their AWS account. CloudTrail captures all API calls for ElastiCache Redis clusters and ElastiCache Memcached clusters as events. The calls captured include calls from the ElastiCache console, code calls to the API operations, and the AWS CLI.

The following is an example of what a CloudTrail log looks like for a successful CreateCacheCluster action:

{ 
    "eventVersion":"1.01",
    "userIdentity":{
        "type":"IAMUser",
        "principalId":"EXAMPLEEXAMPLEEXAMPLE",
        "arn":"arn:aws:iam::123456789012:user/elasticache-allow",
        "accountId":"123456789012",
        "accessKeyId":"AKIAIOSFODNN7EXAMPLE",
        "userName":"elasticache-allow"
    },
    "eventTime":"2014-12-01T22:00:35Z",
    "eventSource":"elasticache.amazonaws.com",
    "eventName":"CreateCacheCluster",
    "awsRegion":"us-west-2",
    "sourceIPAddress":"192.0.2.01",
    "userAgent":"AWS CLI/ElastiCache 1.10 API 2014-12-01",
    "requestParameters":{
        "numCacheNodes":2,
        "cacheClusterId":"test-memcached",
        "engine":"memcached",
        "aZMode":"cross-az",
        "cacheNodeType":"cache.m1.small",
    },
    "responseElements":{
        "engine":"memcached",
        "clientDownloadLandingPage":"https://console.aws.amazon.com/elasticache/home#client-download:",
        "cacheParameterGroup":{
            "cacheParameterGroupName":"default.memcached1.4",
            "cacheNodeIdsToReboot":{
            },
            "parameterApplyStatus":"in-sync"
        },
        "preferredAvailabilityZone":"Multiple",
        "numCacheNodes":2,
        "cacheNodeType":"cache.m1.small",
      
        "cacheClusterStatus":"creating",
        "autoMinorVersionUpgrade":true,
        "preferredMaintenanceWindow":"thu:05:00-thu:06:00",
        "cacheClusterId":"test-memcached",
        "engineVersion":"1.4.14",
        "cacheSecurityGroups":[
            {
                "status":"active",
                "cacheSecurityGroupName":"default"
            }
        ],
        "pendingModifiedValues":{
        }
    },
    "requestID":"104f30b3-3548-11e4-b7b8-6d79ffe84edd",
    "eventID":"92762127-7a68-42ce-8787-927d2174cde1" 
}

In addition to CloudTrail, ElastiCache records significant events for a cluster to a configured Amazon SNS topic. Examples include a failure to add a node, success in adding a node, the modification of a security group, and others. For further details on this topic, see the documentation regarding how to Manage ElastiCache Amazon SNS notifications for Redis clusters, and how to Manage ElastiCache Amazon SNS notifications for Memcached clusters.

Operational access and security with ElastiCache

FSI customers using AWS can make sure of the security and visibility of their data stored in the cloud through third-party auditor reports, such as AWS SOC 2 Type II and ISO 27001, available in AWS Artifact.

For securing access to your ElastiCache Redis and Memcached clusters, you can use IAM policies to control who can create, access, or edit a cluster by attaching a policy to them. When implementing IAM policies, you must follow the principle of least privilege and enforce separation of duties with proper authorization for each interaction with your AWS resources. ElastiCache provides two AWS managed IAM policies for this purpose:

• AmazonElastiCacheReadOnlyAccess – grants read-only access to ElastiCache Redis resources.
• AmazonElastiCacheFullAccess – grants full access to ElastiCache Redis resources.

Additionally, you can create custom IAM policies for specific ElastiCache API actions, such as elasticache:Connect which simplifies managing access to ElastiCache for Redis clusters with IAM. Then you can attach the corresponding custom policies to IAM users or groups that require those permissions. AWS customers can also federate authentication (SAML, LDAP, OpenID, or OAuth) with their own directories via single sign-on (SSO) directly to ElastiCache for Redis. Before doing so, make sure that you have the necessary permissions to create a service-linked role or have created an ElastiCache service-linked role.

RBAC is another critical security aspect in ElastiCache for Redis. RBAC lets you manage access to ElastiCache resources based on the role that a user holds within your organization. This approach makes sure that only authorized users have access to sensitive information, helping to mitigate the risk of security breaches and data theft. RBAC lets you assign specific permissions to an IAM user, group, or role, defining what actions they can perform on ElastiCache resources. For example, you could grant a user the permission to read data from a cache cluster, while denying them the ability to make modifications. This principle of least privilege helps reduce the attack surface of your systems, limiting the potential damage that could be caused by malicious actors. When using ElastiCache for Redis, you must have a well-defined RBAC strategy in place, taking into account the specific requirements of your organization and its compliance obligations.

Conclusion

This post has delved into the important aspects of ElastiCache, making it easier for FSI customers to understand and adopt the service. We focused on five key categories: achieving compliance, data protection, isolation of computing environments, automating audits with APIs, and operational access and security. These categories provide a comprehensive overview of the features and capabilities that can help FSI customers meet their security and compliance requirements with ElastiCache. Although this is not a one-size-fits-all approach, the information provided in this post is meant to be adaptable, allowing organizations to customize their approach to fit their specific needs. In short, this post provides a consolidated guide to the crucial areas of ElastiCache, making it an indispensable resource for FSIs looking to adopt the service.

Make sure to visit our AWS Industries channel and stay tuned for more FSI news and best practices.

Any discussion of reference architectures in this post is illustrative and for informational purposes only. It’s based on the information available at the time of publication. Any steps/recommendations are meant for educational purposes and initial proof of concepts, and not a full-enterprise solution.