ElastiCache cluster is using the default subnet group
Description
This policy is checking to ensure that ElastiCache clusters are not using the default subnet group provided by AWS. This is a potential issue for a few reasons. First, using the default subnet group may not align with the specific security or access control requirements of your particular applications or user groups. Custom subnet groups allow you to define network traffic routing and access rules more granularly. Second, having all ElastiCache clusters in the default subnet group may lead to situations where a network issue impacts all clusters instead of a single one. By having separate subnet groups, you can isolate clusters and minimize the impact of any potential issues. So, this policy tries to avoid these potential issues by making sure that each ElastiCache cluster has its own dedicated subnet group.
Code Example
resource "aws_elasticache_subnet_group" "example" {
name = "example"
subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
}
resource "aws_elasticache_cluster" "example" {
cluster_id = "cluster-example"
engine = "memcached"
node_type = "cache.m4.large"
num_cache_nodes = 2
parameter_group_name = "default.memcached1.4"
engine_version = "1.4.24"
+ subnet_group_name = aws_elasticache_subnet_group.example.name
}Remediation
Terraform
- Resource: aws_elasticache_cluster
- Arguments: subnet_group_name
To fix this issue, you need to create a custom subnet group instead of using the default one, and attach it to the ElastiCache cluster. The subnet group should contain the appropriate subnets for your application.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0370 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_323 |