AWS AmazonElastiCache documentation change
Summary
Updated RBAC documentation with expanded details on Valkey integration, user group constraints, authentication modes (authN/authZ), and clarified command usage. Added a dedicated 'RBAC with Valkey' section outlining security features like mandatory authentication (password/IAM), default user disabling, and user group restrictions.
Security assessment
The changes add documentation about security features such as fine-grained permissions (authZ), per-user passwords (authN), IAM authentication enforcement, and disabling default users. These are security best practices but do not explicitly address a specific vulnerability or incident.
Diff
diff --git a/AmazonElastiCache/latest/dg/Clusters.RBAC.md b/AmazonElastiCache/latest/dg/Clusters.RBAC.md index 31a567aae..a594a1fd7 100644 --- a//AmazonElastiCache/latest/dg/Clusters.RBAC.md +++ b//AmazonElastiCache/latest/dg/Clusters.RBAC.md @@ -9 +9 @@ Specifying Permissions Using an Access StringApplying RBAC to an ElastiCache Val -Instead of authenticating users with the Valkey and Redis OSS AUTH command as described in [Authenticating with the Valkey and Redis OSS AUTH command](./auth.html), in Valkey 7.2 and onward and Redis OSS 6.0 onward you can use a feature called Role-Based Access Control (RBAC). RBAC is also the only way to control access to serverless caches. +With the Valkey and Redis OSS AUTH command as described in [Authenticating with the Valkey and Redis OSS AUTH command](./auth.html) you can use Role-Based Access Control (RBAC). RBAC is also the only way to control access to serverless caches. This is available for Valkey 7.2 and onward, and Redis OSS 6.0 to 7.2. @@ -11 +11 @@ Instead of authenticating users with the Valkey and Redis OSS AUTH command as de -Unlike Valkey and Redis OSS AUTH, where all authenticated clients have full cache access if their token is authenticated, RBAC enables you to control cache access through user groups. These user groups are designed as a way to organize access to caches. +RBAC enables you to: @@ -13 +13,14 @@ Unlike Valkey and Redis OSS AUTH, where all authenticated clients have full cach -With RBAC, you create users and assign them specific permissions by using an access string, as described following. You assign the users to user groups aligned with a specific role (administrators, human resources) that are then deployed to one or more ElastiCache caches. By doing this, you can establish security boundaries between clients using the same Valkey or Redis OSS cache or caches and prevent clients from accessing each other’s data. + * Control cache access through user groups. These user groups are designed as a way to organize access to caches. + + * With _authN_ , have per user passwords as opposed to per cluster auth tokens. + + * With _authZ_ , have fine-grained user permissions. + + * Base your cluster access on ACLs. + + + + +Unlike Valkey and Redis OSS AUTH, where all authenticated clients have full cache access if their token is authenticated, RBAC enables you to assign users to sets depending on the users' desired roles. These sets are designed as a way to organize access to caches. + +With RBAC, you create users and assign them specific permissions by using an access string, as described following. You assign the users to sets aligned with a specific role (administrators, human resources) that are then deployed to one or more ElastiCache caches. By doing this, you can establish security boundaries between clients using the same Valkey or Redis OSS cache or caches, and prevent clients from accessing each other’s data. @@ -16,0 +30,4 @@ RBAC is designed to support the introduction of [ACL](https://valkey.io/topics/a + * When using RBAC with Valkey, you can associate roles with both Valkey and Redis OSS caches. This is because a Valkey cluster can contain both Valkey and Redis OSS caches. + + * When using RBAC with Redis OSS, roles can only be applied to Redis OSS caches. + @@ -19 +36 @@ RBAC is designed to support the introduction of [ACL](https://valkey.io/topics/a - * For user rights, you pass `on` and `off` as a part of the access string. If neither is specified in the access string, the user is assigned `off` and doesn't have access rights to the cache. + * For user rights, you enable or disable users with the `on` and `off` as a part of the access string. If neither is specified in the access string, the user is assigned `off` and doesn't have access rights to the cache. @@ -21 +38 @@ RBAC is designed to support the introduction of [ACL](https://valkey.io/topics/a - * You can't use forbidden and renamed commands. If you specify a forbidden or a renamed command, an exception will be thrown. If you want to use access control lists (ACLs) for a renamed command, specify the original name of the command, in other words the name of the command before it was renamed. + * You can't use forbidden and renamed commands as part of the access string. If you specify a forbidden or a renamed command, an exception will be thrown. If you want to use access control lists (ACLs) for a renamed command, specify the original name of the command, in other words the name of the command before it was renamed. @@ -23 +40 @@ RBAC is designed to support the introduction of [ACL](https://valkey.io/topics/a - * You can't use the `reset` command as a part of an access string. You specify passwords with API parameters, and ElastiCache for Redis OSS manages passwords. Thus, you can't use `reset` because it would remove all passwords for a user. + * You can't use the `reset` command as a part of an access string. You specify passwords with API parameters, and ElastiCache for Valkey and Redis OSS manages passwords. Thus, you can't use `reset` because it would remove all passwords for a user. @@ -25 +42 @@ RBAC is designed to support the introduction of [ACL](https://valkey.io/topics/a - * Redis OSS 6 introduces the [ACL LIST](https://valkey.io/commands/acl-list) command. This command returns a list of users along with the ACL rules applied to each user. ElastiCache for Redis OSS supports the `ACL LIST` command, but does not include support for password hashes as Redis OSS does. With ElastiCache for Redis OSS, you can use the [describe-users](https://docs.aws.amazon.com/cli/latest/reference/elasticache/describe-users.html) operation to get similar information, including the rules contained within the access string. However, [describe-users](https://docs.aws.amazon.com/cli/latest/reference/elasticache/describe-users.html) doesn't retrieve a user password. + * Redis OSS 6 introduces the [ACL LIST](https://valkey.io/commands/acl-list) command. This command returns a list of users along with the ACL rules applied to each user. ElastiCache supports the `ACL LIST` command, but does not include support for password hashes as Redis OSS does. With ElastiCache, you can use the [DescribeUsers](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_DescribeUsers.html) operation to get similar information, including the rules contained within the access string. However, [DescribeUsers](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_DescribeUsers.html) doesn't retrieve a user password. @@ -27 +44 @@ RBAC is designed to support the introduction of [ACL](https://valkey.io/topics/a -Other read-only commands supported by ElastiCache for Valkey and Redis OSS include [ACL WHOAMI](https://valkey.io/commands/acl-whoami), [ACL USERS](https://valkey.io/commands/acl-users), and [ACL CAT](https://valkey.io/commands/acl-cat). ElastiCache for Valkey and Redis OSS doesn't support any other write-based ACL commands. + * Other read-only commands supported by ElastiCache for Valkey and Redis OSS include [ACL WHOAMI](https://valkey.io/commands/acl-whoami), [ACL USERS](https://valkey.io/commands/acl-users), and [ACL CAT](https://valkey.io/commands/acl-cat). ElastiCache for Valkey and Redis OSS doesn't support any other write-based ACL commands. @@ -29 +46 @@ Other read-only commands supported by ElastiCache for Valkey and Redis OSS inclu - * The following constraints apply: + * The following limits apply: @@ -40 +57,20 @@ Number of user groups | 100 -Using RBAC with ElastiCache for Redis OSS is described in more detail following. +**RBAC with Valkey** + +When using Role Based Access Control with Valkey, users and user groups are made with the "VALKEY" engine type. This is recommended, as by default Valkey with RBAC provides increased security compared to Redis OSS. Both provisioned and serverless Valkey clusters support VALKEY user and user group associations. + +Key features of Valkey Access Control include: + + * Valkey users are restricted to Valkey user group associations only. + + * Valkey user groups can contain Valkey users, and Redis OSS users who are either password protected or IAM auth enabled. + + * Valkey users must use either password protection or IAM authentication. + + * VALKEY user groups can only be associated to VALKEY cache clusters + + * There is no default user requirement. When the Valkey user group is attached to cache clusters, the default user requirement is automatically disabled. Customers will see that default user is turned off when using the ACL LIST command. + + + + +More information on using RBAC with ElastiCache for Valkey and Redis OSS follows. @@ -61 +97 @@ Using RBAC with ElastiCache for Redis OSS is described in more detail following. -To specify permissions to an ElastiCache for Redis OSS cache, you create an access string and assign it to a user, using either the AWS CLI or AWS Management Console. +To specify permissions to an ElastiCache Valkey or Redis OSS cache, you create an access string and assign it to a user through either the AWS CLI or AWS Management Console. @@ -135 +171 @@ To use ElastiCache for Valkey or Redis OSS RBAC, you take the following steps: -These steps are described in detail following. +These steps are described in detail as follows. @@ -172 +208 @@ The following procedures shows how to swap the original `default` user with anot - 5. In the **Modify** window, choose **Manage** and for select the user that you want as the default user with the **User name** as default. + 5. In the **Modify** window, choose **Manage**. For "select the user that you want", select the user with the **User name** as default. @@ -190 +226 @@ For Linux, macOS, or Unix: - --engine "REDIS" \ + --engine "VALKEY" \ @@ -199 +235 @@ For Windows: - --engine "REDIS" ^ + --engine "VALKEY" ^ @@ -209 +245 @@ For Linux, macOS, or Unix: - --engine "REDIS" \ + --engine "VALKEY" \ @@ -217 +253 @@ For Windows: - --engine "REDIS" ^ + --engine "VALKEY" ^ @@ -221,18 +256,0 @@ For Windows: - 3. Swap the new `default` user with the original `default` user. - -For Linux, macOS, or Unix: - - aws elasticache modify-user-group \ - --user-group-id test-group \ - --user-ids-to-add "new-default-user" \ - --user-ids-to-remove "default" - -For Windows: - - aws elasticache modify-user-group ^ - --user-group-id test-group ^ - --user-ids-to-add "new-default-user" ^ - --user-ids-to-remove "default" - -When this modify operation is called, any existing connections to a cache that the original default user has are terminated. - @@ -244 +262 @@ When creating a user, you can set up to two passwords. When you modify a passwor -In particular, be aware of these user password constraints when using RBAC for ElastiCache for Redis OSS: +In particular, be aware of these user password constraints when using RBAC for ElastiCache for Valkey and Redis OSS: @@ -287 +305 @@ For Linux, macOS, or Unix: - --no-password-required + --authentication-mode Type=iam @@ -294 +312 @@ For Windows: - --no-password-required + --authentication-mode Type=iam @@ -345 +363 @@ The following operations are available to create new user groups: -When you create a user group, you are required to include the default user. +If you are not using a Valkey or Redis OSS user group then you must include a default user when creating a user group. @@ -376 +394 @@ For Linux, macOS, or Unix: - --engine "REDIS" \ + --engine "VALKEY" \ @@ -383 +401 @@ For Windows: - --engine "REDIS" ^ + --engine "VALKEY" ^ @@ -402 +420 @@ For Windows: - --user-ids-to-add userid-3 ^ + --user-ids-to-add user-id-3 ^ @@ -457 +475 @@ The following AWS CLI operation creates a serverless cache using the **user-grou - * `--engine` – Must be `valkey` or `redis`. + * `--engine` – Must be `VALKEY` or `REDIS`. @@ -470 +488 @@ For Linux, macOS, or Unix: - --engine "redis" \ + --engine "VALKEY" \ @@ -480 +498 @@ For Windows: - --engine "redis" ^ + --engine "VALKEY" ^ @@ -544 +562 @@ For Linux, macOS, or Unix: - --engine "redis" \ + --engine "VALKEY" \ @@ -556 +574 @@ For Windows: - --engine "redis" ^ + --engine "VALKEY" ^