Ensure ElastiCache Redis Cluster Has Automatic Backups Enabled
Overview
This check verifies that your Amazon ElastiCache Redis replication groups have automatic snapshot backups enabled with an appropriate retention period (at least 7 days). Automatic backups protect your cached data from accidental loss and support disaster recovery.
Risk
Without automatic backups enabled:
- Data loss: Hardware failures, data corruption, or accidental deletions may be unrecoverable
- Extended downtime: Recovery without backups requires rebuilding clusters from scratch
- Compliance violations: Many frameworks require backup retention periods for data protection
- Missed recovery objectives: Your Recovery Point Objective (RPO) and Recovery Time Objective (RTO) cannot be met
Severity: High
Remediation Steps
Prerequisites
You need permission to modify ElastiCache replication groups in your AWS account.
AWS Console Method
- Open the Amazon ElastiCache console
- In the left navigation, select Redis OSS caches
- Select the replication group you want to modify
- Click the Modify button
- In the Backup section:
- Set Backup retention period to at least 7 days
- Optionally, set a Backup window (e.g., during low-traffic hours)
- Check Apply immediately if you want changes to take effect now
- Click Modify
AWS CLI (optional)
Enable automatic backups with a 7-day retention period:
aws elasticache modify-replication-group \
--replication-group-id <your-replication-group-id> \
--snapshot-retention-limit 7 \
--apply-immediately \
--region us-east-1
Replace <your-replication-group-id> with your actual replication group ID.
To also set a specific backup window (optional):
aws elasticache modify-replication-group \
--replication-group-id <your-replication-group-id> \
--snapshot-retention-limit 7 \
--snapshot-window "05:00-09:00" \
--apply-immediately \
--region us-east-1
Note: The snapshot window is specified in UTC time.
CloudFormation (optional)
Use the SnapshotRetentionLimit property on your AWS::ElastiCache::ReplicationGroup resource:
AWSTemplateFormatVersion: '2010-09-09'
Description: ElastiCache Redis Replication Group with Automatic Backups Enabled
Parameters:
ReplicationGroupId:
Type: String
Description: Unique identifier for the replication group
Default: my-redis-cluster
NodeType:
Type: String
Description: ElastiCache node type
Default: cache.t3.micro
SnapshotRetentionLimit:
Type: Number
Description: Number of days to retain automatic snapshots (0 disables backups)
Default: 7
MinValue: 1
MaxValue: 35
Resources:
RedisSubnetGroup:
Type: AWS::ElastiCache::SubnetGroup
Properties:
Description: Subnet group for Redis cluster
SubnetIds:
- !Ref SubnetId
RedisReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupId: !Ref ReplicationGroupId
ReplicationGroupDescription: Redis replication group with automatic backups
Engine: redis
CacheNodeType: !Ref NodeType
NumCacheClusters: 2
AutomaticFailoverEnabled: true
MultiAZEnabled: true
SnapshotRetentionLimit: !Ref SnapshotRetentionLimit
SnapshotWindow: 05:00-09:00
CacheSubnetGroupName: !Ref RedisSubnetGroup
AtRestEncryptionEnabled: true
TransitEncryptionEnabled: true
SubnetId:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VpcId
CidrBlock: 10.0.1.0/24
VpcId:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
Outputs:
ReplicationGroupEndpoint:
Description: Primary endpoint for the Redis replication group
Value: !GetAtt RedisReplicationGroup.PrimaryEndPoint.Address
Key properties:
SnapshotRetentionLimit: Set to 7 or higher (0 disables backups)SnapshotWindow: Optional daily time window for backups in UTC
Terraform (optional)
Use the snapshot_retention_limit argument on your aws_elasticache_replication_group resource:
resource "aws_elasticache_replication_group" "redis" {
replication_group_id = "my-redis-cluster"
description = "Redis replication group with automatic backups"
engine = "redis"
node_type = "cache.t3.micro"
num_cache_clusters = 2
port = 6379
automatic_failover_enabled = true
multi_az_enabled = true
# Backup configuration - key setting for this check
snapshot_retention_limit = 7
snapshot_window = "05:00-09:00"
subnet_group_name = aws_elasticache_subnet_group.redis.name
at_rest_encryption_enabled = true
transit_encryption_enabled = true
}
resource "aws_elasticache_subnet_group" "redis" {
name = "my-redis-subnet-group"
subnet_ids = var.subnet_ids
}
Key arguments:
snapshot_retention_limit: Set to 7 or higher (0 disables backups)snapshot_window: Optional daily time window for backups in UTC
Verification
After making changes, verify that automatic backups are enabled:
- In the ElastiCache console, select your replication group
- Check the Backup section and confirm the retention period is 7 days or more
CLI Verification (optional)
aws elasticache describe-replication-groups \
--replication-group-id <your-replication-group-id> \
--query 'ReplicationGroups[0].{Id:ReplicationGroupId,SnapshotRetentionLimit:SnapshotRetentionLimit,SnapshotWindow:SnapshotWindow}' \
--region us-east-1
Expected output shows SnapshotRetentionLimit of 7 or higher:
{
"Id": "my-redis-cluster",
"SnapshotRetentionLimit": 7,
"SnapshotWindow": "05:00-09:00"
}
Additional Resources
- Amazon ElastiCache Backup and Restore
- Scheduling Automatic Backups
- Restoring From a Backup
- AWS ElastiCache Best Practices
Notes
- Backup window: Choose a time window during low-traffic periods to minimize performance impact
- Retention limit: The maximum retention period is 35 days; consider your compliance requirements when setting this value
- Storage costs: Automatic snapshots are stored in Amazon S3 and incur storage charges
- Cluster mode: For Redis cluster mode enabled, backups capture data across all shards
- Multi-AZ: Consider enabling Multi-AZ alongside backups for high availability
- Manual snapshots: You can also create manual snapshots before major changes; these do not count against your automatic snapshot limit