chore(aws): enhance metadata for elasticache service (#8933)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: puchy22

prowler/CHANGELOG.md

@@ -18,6 +18,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS DynamoDB service metadata to new format [(#8871)](https://github.com/prowler-cloud/prowler/pull/8871)
 - Update AWS EMR service metadata to new format [(#9002)](https://github.com/prowler-cloud/prowler/pull/9002)
 - Update AWS EKS service metadata to new format [(#8890)](https://github.com/prowler-cloud/prowler/pull/8890)
+- Update AWS ElastiCache service metadata to new format [(#8933)](https://github.com/prowler-cloud/prowler/pull/8933)
 
 ---
 

prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.metadata.json

@@ -1,26 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "elasticache_cluster_uses_public_subnet",
-  "CheckTitle": "Ensure Elasticache Cluster is not using a public subnet",
-  "CheckType": [],
+  "CheckTitle": "ElastiCache cluster is not using public subnets",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "elasticache",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Ensure Elasticache Cluster is not using a public subnet",
-  "Risk": "There is a risk of exposing sensitive data if Elasticache Cluster uses a public subnet.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.html",
+  "Description": "**ElastiCache resources** (Redis nodes and Memcached clusters) are assessed for placement in **public subnets**.\n\nThe finding identifies cache subnet groups that include subnets configured with Internet routing instead of private-only subnets.",
+  "Risk": "Hosting caches in **public subnets** can permit direct or misconfigured Internet access, impacting CIA:\n- Confidentiality: unauthorized reads and key dumps\n- Integrity: cache poisoning or key tampering\n- Availability: scanning and DDoS\n\nAttackers may pivot from the cache to **lateral movement** within the VPC.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/SubnetGroups.html",
+    "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws elasticache modify-cache-cluster --cache-cluster-id my-elasticache-cluster --cache-subnet-group-name my-private-subnet-group",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws elasticache modify-cache-cluster --cache-cluster-id <example_resource_id> --cache-subnet-group-name <example_resource_name> --apply-immediately",
+      "NativeIaC": "```yaml\n# CloudFormation: move ElastiCache into private subnets via a private subnet group\nResources:\n  PrivateCacheSubnetGroup:\n    Type: AWS::ElastiCache::SubnetGroup\n    Properties:\n      Description: Private subnets only\n      SubnetIds:\n        - <example_resource_id>  # private subnet\n        - <example_resource_id>  # private subnet\n\n  CacheCluster:\n    Type: AWS::ElastiCache::CacheCluster\n    Properties:\n      CacheClusterId: <example_resource_id>\n      Engine: redis\n      CacheNodeType: cache.t3.micro\n      NumCacheNodes: 1\n      CacheSubnetGroupName: !Ref PrivateCacheSubnetGroup  # CRITICAL: forces the cluster to use only private subnets\n```",
+      "Other": "1. In the AWS Console, go to ElastiCache > Subnet groups\n2. Click Create cache subnet group and select only private subnets (no route to an Internet Gateway)\n3. Go to ElastiCache > Redis or Memcached, select your cluster\n4. Click Modify, set Subnet group to the private subnet group\n5. Check Apply immediately and click Modify to save",
+      "Terraform": "```hcl\n# Terraform: ensure the cluster uses a subnet group with only private subnets\nresource \"aws_elasticache_subnet_group\" \"private\" {\n  name       = \"<example_resource_name>\"\n  subnet_ids = [\"<example_resource_id>\", \"<example_resource_id>\"] # private subnets only\n}\n\nresource \"aws_elasticache_cluster\" \"cache\" {\n  cluster_id      = \"<example_resource_id>\"\n  engine          = \"redis\"\n  node_type       = \"cache.t3.micro\"\n  num_cache_nodes = 1\n  subnet_group_name = aws_elasticache_subnet_group.private.name  # CRITICAL: restricts cluster to private subnets\n}\n```"
     },
     "Recommendation": {
-      "Text": "To ensure your Elasticache cluster is not using a public subnet, follow the recommended remediation steps based on your preferred method.",
-      "Url": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.html"
+      "Text": "Place caches in **private subnets** only and ensure route tables lack Internet egress. Apply **least privilege** with tight **security groups** limited to required ports and trusted sources.\n\nFor external access, use **VPC peering**, **VPN**, or **PrivateLink**. Enable encryption in transit and Redis `AUTH` for layered controls.",
+      "Url": "https://hub.prowler.com/check/elasticache_cluster_uses_public_subnet"
     }
   },
   "Categories": [

prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.metadata.json

@@ -1,26 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "elasticache_redis_cluster_auto_minor_version_upgrades",
-  "CheckTitle": "Ensure Elasticache Redis cache clusters have automatic minor upgrades enabled.",
-  "CheckType": [],
+  "CheckTitle": "ElastiCache Redis cache cluster has automatic minor version upgrades enabled",
+  "CheckType": [
+    "Software and Configuration Checks/Patch Management",
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "elasticache",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "Other",
-  "Description": "Ensure Elasticache Redis cache clusters have automatic minor upgrades enabled.",
-  "Risk": "Not enabling automatic minor version upgrades can expose your Redis cluster to security vulnerabilities, performance issues, and increased operational overhead due to the need for manual updates.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html",
+  "Description": "**ElastiCache for Redis** replication groups are configured to apply **automatic minor engine upgrades** using `AutoMinorVersionUpgrade`",
+  "Risk": "Without **automatic minor upgrades**, Redis nodes may run versions with known CVEs and stability bugs, enabling unauthorized access, replication inconsistencies, or crashes. Delayed patching widens the attack window and lengthens maintenance, degrading confidentiality, integrity, and availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/VersionManagementConsiderations.html",
+    "https://support.icompaas.com/support/solutions/articles/62000233595-ensure-elasticache-redis-cache-clusters-have-automatic-minor-upgrades-enabled",
+    "https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/engine-versions.html",
+    "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws elasticache modify-cache-cluster --cache-cluster-id <cluster_id> --apply-immediately --auto-minor-version-upgrade",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-2",
-      "Terraform": ""
+      "CLI": "aws elasticache modify-replication-group --replication-group-id <replication_group_id> --auto-minor-version-upgrade --apply-immediately",
+      "NativeIaC": "```yaml\n# CloudFormation: enable auto minor version upgrades on a Replication Group\nResources:\n  <example_resource_name>:\n    Type: AWS::ElastiCache::ReplicationGroup\n    Properties:\n      ReplicationGroupDescription: \"<example_description>\"\n      CacheNodeType: \"<example_node_type>\"\n      NumCacheClusters: 1\n      AutoMinorVersionUpgrade: true  # CRITICAL: turns on automatic minor version upgrades\n      # This ensures new minor engine versions are applied automatically\n```",
+      "Other": "1. Open the AWS console and go to ElastiCache\n2. Select Replication groups, choose the target group\n3. Click Modify\n4. Enable Automatic minor version upgrade\n5. Check Apply immediately and click Modify to save",
+      "Terraform": "```hcl\n# Enable auto minor version upgrades on an ElastiCache replication group\nresource \"aws_elasticache_replication_group\" \"<example_resource_name>\" {\n  replication_group_id       = \"<example_resource_id>\"\n  description                = \"<example_description>\"\n  node_type                  = \"<example_node_type>\"\n  num_cache_clusters         = 1\n  auto_minor_version_upgrade = true  # CRITICAL: automatically applies minor engine upgrades\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Elasticache clusters have automatic minor upgrades enabled.",
-      "Url": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.html#Modify"
+      "Text": "Enable `AutoMinorVersionUpgrade` for Redis replication groups and govern updates with a maintenance window. Apply **patch management** and **defense in depth**: validate in staging, keep recent backups, use Multi-AZ for resilience, and monitor release notes to ensure timely, low-impact updates.",
+      "Url": "https://hub.prowler.com/check/elasticache_redis_cluster_auto_minor_version_upgrades"
     }
   },
   "Categories": [],

prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "elasticache_redis_cluster_automatic_failover_enabled",
-  "CheckTitle": "Ensure Elasticache Redis clusters have automatic failover enabled.",
-  "CheckType": [],
+  "CheckTitle": "ElastiCache Redis cluster has automatic failover enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "elasticache",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Ensure Elasticache Redis OSS cache clusters use automatic failover.",
-  "Risk": "If automatic failover is not enabled, a failure in the primary node could result in significant downtime, impacting the availability and resilience of your application.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/AutoFailover.html",
+  "Description": "**Amazon ElastiCache (Redis OSS) replication groups** have **automatic failover** set to `enabled`, allowing a replica to be promoted when the primary becomes unavailable",
+  "Risk": "**Missing automatic failover** reduces **availability**: a primary or AZ outage can stop writes and require manual recovery, prolonging downtime.\n\nAs Redis replication is asynchronous, delayed promotion increases chances of **lost or stale writes**, affecting **data integrity** and causing client timeouts.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://aws.amazon.com/blogs/database/testing-automatic-failover-to-a-read-replica-on-amazon-elasticache-for-redis/",
+    "https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/AutoFailover.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-3",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-aws-elasticache-redis-cluster-with-multi-az-automatic-failover-feature-set-to-enabled/"
+      "CLI": "aws elasticache modify-replication-group --replication-group-id <example_resource_id> --automatic-failover-enabled --apply-immediately",
+      "NativeIaC": "```yaml\n# CloudFormation: enable automatic failover for a Redis replication group\nResources:\n  <example_resource_name>:\n    Type: AWS::ElastiCache::ReplicationGroup\n    Properties:\n      ReplicationGroupId: <example_resource_id>\n      ReplicationGroupDescription: \"<description>\"\n      NumCacheClusters: 2\n      AutomaticFailoverEnabled: true  # Critical: turns on automatic failover so the check passes\n      Engine: redis\n```",
+      "Other": "1. Open the AWS Console and go to ElastiCache\n2. Select your Redis replication group (<example_resource_id>)\n3. Click Modify\n4. Set Auto failover to Enabled\n5. Check Apply immediately\n6. Click Save changes",
+      "Terraform": "```hcl\n# Terraform: enable automatic failover for a Redis replication group\nresource \"aws_elasticache_replication_group\" \"<example_resource_name>\" {\n  replication_group_id          = \"<example_resource_id>\"\n  replication_group_description = \"<description>\"\n  node_type                     = \"cache.t3.small\"\n  number_cache_clusters         = 2\n  automatic_failover_enabled    = true  # Critical: turns on automatic failover so the check passes\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable automatic failover for ElastiCache (Redis OSS) clusters to ensure high availability and minimize downtime during failures.",
-      "Url": "https://redis.io/blog/highly-available-in-memory-cloud-datastores/"
+      "Text": "Enable **automatic failover** with **Multi-AZ**, keeping at least one replica per shard in a different AZ. Regularly *test failover* and monitor replication lag.\n\nArchitect clients for resilience with retries and backoff to tolerate brief role changes, aligning with **fault tolerance** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/elasticache_redis_cluster_automatic_failover_enabled"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.metadata.json

@@ -1,29 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "elasticache_redis_cluster_backup_enabled",
-  "CheckTitle": "Ensure Elasticache Redis cache cluster has automatic backups enabled.",
-  "CheckType": [],
+  "CheckTitle": "ElastiCache Redis cache cluster has automated snapshot backups enabled with retention of at least 7 days",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Destruction"
+  ],
   "ServiceName": "elasticache",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "Other",
-  "Description": "Ensure Elasticache Redis cache cluster has automatic backups enabled.",
-  "Risk": "Ensure that your Amazon ElastiCache Redis cache clusters have a sufficient backup retention period set in order to fulfill your organization's compliance requirements. The retention period represents the number of days for which Amazon ElastiCache service retains automatic Redis cluster backups before deleting them.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-1",
+  "Description": "Amazon ElastiCache Redis replication groups have **automated snapshot backups** enabled with a **retention period** of at least `7` days.\n\nThe evaluation focuses on whether backups are enabled and the configured retention meets the minimum threshold.",
+  "Risk": "Absent or short-retained backups degrade **availability** and heighten **data loss** risk. Hardware failures, corruption, or accidental deletes may not be recoverable to needed points, undermining **RPO/RTO**, prolonging outages, and limiting **forensics** on cache data.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ElastiCache/enable-automatic-backups.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-1"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws elasticache modify-replication-group --region <value> --replication-group-id <value> --snapshot-retention-limit <value> --apply-immediately",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-that-amazon-elasticache-redis-clusters-have-automatic-backup-turned-on/"
+      "CLI": "aws elasticache modify-replication-group --replication-group-id <REPLICATION_GROUP_ID> --snapshot-retention-limit 7 --apply-immediately",
+      "NativeIaC": "```yaml\n# CloudFormation: set automated snapshot retention for a Redis replication group\nResources:\n  <example_resource_name>:\n    Type: AWS::ElastiCache::ReplicationGroup\n    Properties:\n      ReplicationGroupDescription: example\n      SnapshotRetentionLimit: 7  # Critical: enables automatic snapshots and retains them for >=7 days\n```",
+      "Other": "1. In the AWS Console, open ElastiCache\n2. Go to Redis > Replication groups\n3. Select <example_resource_id> and click Modify\n4. Set Snapshot retention (days) to 7 or higher\n5. Check Apply immediately\n6. Click Modify to save",
+      "Terraform": "```hcl\nresource \"aws_elasticache_replication_group\" \"<example_resource_name>\" {\n  replication_group_id       = \"<example_resource_id>\"\n  replication_group_description = \"<example_description>\"\n  snapshot_retention_limit   = 7  # Critical: enable automated backups and keep them for >=7 days\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Elasticache Cluster has automatic backups enabled.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-1"
+      "Text": "Enable **automated backups** and set **retention** to meet RPO/RTO (typically  `7` days).\n- Define a consistent `snapshot window`\n- Test restores regularly\n- Protect backup storage with **least privilege** and immutability\n- Monitor backup status for failures\n- Apply **defense in depth** with replicas/Multi-AZ",
+      "Url": "https://hub.prowler.com/check/elasticache_redis_cluster_backup_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""