Ensure ElastiCache Redis Clusters Have Automatic Minor Version Upgrades Enabled
Overview
This check verifies that your Amazon ElastiCache Redis replication groups have automatic minor version upgrades enabled. When enabled, AWS automatically applies minor engine version updates during your maintenance window, keeping your Redis clusters patched with the latest security fixes and stability improvements.
Risk
Without automatic minor version upgrades, your Redis clusters may run outdated software with known security vulnerabilities. This can lead to:
- Security exposure: Unpatched vulnerabilities (CVEs) remain exploitable
- Stability issues: Bug fixes and performance improvements are not applied
- Compliance gaps: Many security frameworks require timely patching
- Operational burden: Manual upgrades require more effort and coordination
Severity: High
Remediation Steps
Prerequisites
You need access to modify ElastiCache replication groups in your AWS account. This typically requires the elasticache:ModifyReplicationGroup permission.
Required IAM permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:DescribeReplicationGroups",
"elasticache:ModifyReplicationGroup"
],
"Resource": "*"
}
]
}
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to ElastiCache (search for it in the top search bar)
- In the left sidebar, click Redis OSS caches
- Select the replication group you want to update
- Click Modify
- Scroll to the Maintenance section
- Check the box for Auto upgrade minor versions
- Choose whether to apply the change immediately or during the next maintenance window
- Click Preview changes, then Modify
AWS CLI
Use the following command to enable automatic minor version upgrades on an existing replication group:
aws elasticache modify-replication-group \
--replication-group-id <your-replication-group-id> \
--auto-minor-version-upgrade \
--apply-immediately \
--region us-east-1
Replace <your-replication-group-id> with the ID of your Redis replication group.
To list all replication groups and check their current settings:
aws elasticache describe-replication-groups \
--query 'ReplicationGroups[*].{ID:ReplicationGroupId,AutoMinorVersionUpgrade:AutoMinorVersionUpgrade}' \
--output table \
--region us-east-1
To find replication groups with auto minor version upgrade disabled:
aws elasticache describe-replication-groups \
--query 'ReplicationGroups[?AutoMinorVersionUpgrade==`false`].ReplicationGroupId' \
--output text \
--region us-east-1
CloudFormation
When creating or updating an ElastiCache Redis replication group via CloudFormation, set AutoMinorVersionUpgrade to true:
AWSTemplateFormatVersion: '2010-09-09'
Description: ElastiCache Redis Replication Group with Auto Minor Version Upgrade
Parameters:
ReplicationGroupId:
Type: String
Description: Unique identifier for the replication group
CacheNodeType:
Type: String
Default: cache.t3.micro
Description: The compute and memory capacity of the nodes
SubnetGroupName:
Type: String
Description: The name of the subnet group to use
Resources:
RedisReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupId: !Ref ReplicationGroupId
ReplicationGroupDescription: Redis cluster with auto minor version upgrade enabled
AutomaticFailoverEnabled: true
AutoMinorVersionUpgrade: true
CacheNodeType: !Ref CacheNodeType
CacheSubnetGroupName: !Ref SubnetGroupName
Engine: redis
EngineVersion: '7.1'
NumNodeGroups: 1
ReplicasPerNodeGroup: 1
Port: 6379
AtRestEncryptionEnabled: true
TransitEncryptionEnabled: true
Outputs:
ReplicationGroupEndpoint:
Description: Primary endpoint for the Redis replication group
Value: !GetAtt RedisReplicationGroup.PrimaryEndPoint.Address
Terraform
When managing ElastiCache Redis with Terraform, set auto_minor_version_upgrade = true:
resource "aws_elasticache_replication_group" "redis" {
replication_group_id = "my-redis-cluster"
description = "Redis cluster with auto minor version upgrade enabled"
engine = "redis"
engine_version = "7.1"
node_type = "cache.t3.micro"
num_cache_clusters = 2
port = 6379
subnet_group_name = var.subnet_group_name
security_group_ids = var.security_group_ids
# Enable automatic minor version upgrades
auto_minor_version_upgrade = true
automatic_failover_enabled = true
multi_az_enabled = true
at_rest_encryption_enabled = true
transit_encryption_enabled = true
tags = {
Environment = "production"
}
}
Verification
After enabling automatic minor version upgrades, verify the setting was applied:
- In the AWS Console, navigate to your replication group and check that Auto upgrade minor versions shows as Yes
- Re-run the Prowler check to confirm the finding is resolved
CLI verification
aws elasticache describe-replication-groups \
--replication-group-id <your-replication-group-id> \
--query 'ReplicationGroups[0].AutoMinorVersionUpgrade' \
--region us-east-1
The output should be true.
Additional Resources
- AWS ElastiCache Engine Version Management
- Modifying a Replication Group
- ElastiCache Maintenance Window
- Prowler ElastiCache Checks
Notes
- Maintenance window: Minor version upgrades are applied during your configured maintenance window. If you need immediate updates, use
--apply-immediatelyin the CLI or check the corresponding option in the console. - Multi-AZ deployments: For production workloads, combine automatic minor version upgrades with Multi-AZ deployment for high availability during maintenance.
- Testing: Consider testing minor version upgrades in a non-production environment first to validate application compatibility.
- Compliance frameworks: This check maps to AWS Foundational Security Best Practices, PCI DSS, C5, KISA-ISMS-P, and NIS2 requirements for maintaining patched systems.