How to Access A Secure Elasticache Cluster?

An application using an elasticache(redis) cluster for in-memory caching in production needs security at various levels. Most obvious ones being, provisioning the cluster within private subnets inside a vpc, enabling encryption at rest, enabling encryption in transit and configuring a security group to restrict access to the elasticache(redis) cluster.

We may encounter a scenario while troubleshooting operational issues which require access to your secure redis cluster.

For elasticache instances provisioned inside a vpc, you can only connect from an ec2 instance running within the same vpc or through vpc peering for ec2 instances from other vpc.

Following steps might come in handy

• Identify connection endpoint based on type of your cluster. This can be determined by looking at the Elasticache Dashboard -> Redis -> <cluster> ->Description in the AWS console.

• Add an inbound rule to the redis cluster’s security group to allow access from the ec2 instance’s security group.

• Check if any network ACLs are enabled for the subnets in which the redis cluster in provisioned. If yes, configure the associated NACL to allow traffic on the redis cluster port.
• Login to the ec2 instance within the same vpc as your redis cluster.

ssh -i <path_to_key_file> ec2-user@<public_ip>

• As root user, install redis-cli

# yum install -y gcc
# wget http://download.redis.io/redis-stable.tar.gz && tar xzf redis-stable.tar.gz && cd redis-stable && make && make install

• At this point, if your redis cluster does not have encryption in transit enabled, you can directly connect to the cluster using redis-cli

$ redis-cli -h <connection_endpoint_without_port> -p <cluster_port>

For elasticache instances with encryption in transit enabled, you have to connect using clients that work with SSL. As redis-cli doesn’t support SSL or Transport Layer Security (TLS), you can connect using stunnel command to create an SSL tunnel to the redis cluster.

• As root user, install stunnel

# yum install -y stunnel

• As root user, add redis connection endpoint determined in the first step in the below configuration template. You may add multiple connection configurations as well to this file, for example to connect to a reader endpoint or to connect to another cluster.

# vi /etc/stunnel/redis-cli.conf      
fips = no
setuid = root
setgid = root
pid = /var/run/stunnel.pid
debug = 7
delay = yes
options = NO_SSLv2
options = NO_SSLv3
[redis-cli]
   client = yes
   accept = 127.0.0.1:6666 
   connect = <connection_endpoint>

• Start stunnel and test the tunnels are started (Can be run as non-root user)

$ sudo stunnel /etc/stunnel/redis-cli.conf
$ sudo netstat -tulnp | grep -i stunnel
tcp        0      0 127.0.0.1:6666          0.0.0.0:*               LISTEN      18385/stunnel

• Connect to the encrypted Redis cluster using the local endpoint of the tunnel and execute necessary commands to view key-value pairs in the cache or clear cache using flushall. For an extensive list of redis-cli commands, check the link in the References section.

$ redis-cli -h localhost -p 6666
localhost:6666> keys *
1) abc:xyz
2) 123:456
localhost:6666> flushall
OK

• The last step once you are done, stop and close the SSL tunnels.

sudo pkill stunnel

Additionally, you can create an AMI of the ec2 instance after the above configurations and use it to spin up an instance as and when required.

References:

• https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html
• https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html
• https://redis.io/topics/rediscli