AWS Security ChangesHomeSearch

AWS AmazonElastiCache medium security documentation change

Service: AmazonElastiCache · 2026-07-10 · Security-related medium

File: AmazonElastiCache/latest/dg/auth-iam.md

Summary

Updated IAM policy example to use least privilege and migrated code examples to AWS SDK for Java 2.x

Security assessment

Explicitly replaced root account with IAM role in policy example and added least-privilege guidance. This reduces over-permissive access risks. Code migration includes modern credential handling but doesn't fix specific vulnerabilities.

Diff

diff --git a/AmazonElastiCache/latest/dg/auth-iam.md b/AmazonElastiCache/latest/dg/auth-iam.md
index 29522fea4..b097405c0 100644
--- a//AmazonElastiCache/latest/dg/auth-iam.md
+++ b//AmazonElastiCache/latest/dg/auth-iam.md
@@ -79,3 +78,0 @@ JSON
-****
-    
-    
@@ -84 +81,2 @@ JSON
-        "Statement": {
+        "Statement": [
+            {
@@ -86 +84,3 @@ JSON
-            "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
+                "Principal": {
+                    "AWS": "arn:aws:iam::123456789012:role/my-application-role"
+                },
@@ -88,0 +89 @@ JSON
+        ]
@@ -90,0 +92,3 @@ JSON
+###### Note
+
+Replace ``my-application-role`` with the IAM role or user that needs to connect to your cache. Use a least-privilege principal rather than the account root to limit which identities can assume this role.
@@ -172 +176 @@ You first need to generate the short-lived IAM authentication token using an [AW
-    AWSCredentialsProvider awsCredentialsProvider = new DefaultAWSCredentialsProviderChain();
+    AwsCredentialsProvider awsCredentialsProvider = DefaultCredentialsProvider.create();
@@ -177 +181 @@ You first need to generate the short-lived IAM authentication token using an [AW
-    String iamAuthToken = iamAuthTokenRequest.toSignedRequestUri(awsCredentialsProvider.getCredentials());
+    String iamAuthToken = iamAuthTokenRequest.toSignedRequestUri(awsCredentialsProvider.resolveCredentials());
@@ -195 +199 @@ Below is the definition for `IAMAuthTokenRequest`.
-        private static final HttpMethodName REQUEST_METHOD = HttpMethodName.GET;
+        private static final SdkHttpMethod REQUEST_METHOD = SdkHttpMethod.GET;
@@ -203 +207 @@ Below is the definition for `IAMAuthTokenRequest`.
-        private static final long TOKEN_EXPIRY_SECONDS = 900;
+        private static final Duration TOKEN_EXPIRY_DURATION = Duration.ofSeconds(900);
@@ -217,8 +221,4 @@ Below is the definition for `IAMAuthTokenRequest`.
-        public String toSignedRequestUri(AWSCredentials credentials) throws URISyntaxException {
-            Request<Void> request = getSignableRequest();
-            sign(request, credentials);
-            return new URIBuilder(request.getEndpoint())
-                .addParameters(toNamedValuePair(request.getParameters()))
-                .build()
-                .toString()
-                .replace(REQUEST_PROTOCOL, "");
+        public String toSignedRequestUri(AwsCredentials credentials) {
+            SdkHttpFullRequest request = getSignableRequest();
+            SdkHttpFullRequest signedRequest = sign(request, credentials);
+            return signedRequest.getUri().toString().replace(REQUEST_PROTOCOL, "");
@@ -227,6 +227,6 @@ Below is the definition for `IAMAuthTokenRequest`.
-        private <T> Request<T> getSignableRequest() {
-            Request<T> request  = new DefaultRequest<>(SERVICE_NAME);
-            request.setHttpMethod(REQUEST_METHOD);
-            request.setEndpoint(getRequestUri());
-            request.addParameters(PARAM_ACTION, Collections.singletonList(ACTION_NAME));
-            request.addParameters(PARAM_USER, Collections.singletonList(userId));
+        private SdkHttpFullRequest getSignableRequest() {
+            SdkHttpFullRequest.Builder builder = SdkHttpFullRequest.builder()
+                .method(REQUEST_METHOD)
+                .uri(getRequestUri())
+                .appendRawQueryParameter(PARAM_ACTION, ACTION_NAME)
+                .appendRawQueryParameter(PARAM_USER, userId);
@@ -234 +234 @@ Below is the definition for `IAMAuthTokenRequest`.
-                request.addParameters(PARAM_RESOURCE_TYPE, Collections.singletonList(RESOURCE_TYPE_SERVERLESS_CACHE));
+                builder.appendRawQueryParameter(PARAM_RESOURCE_TYPE, RESOURCE_TYPE_SERVERLESS_CACHE);
@@ -236 +236 @@ Below is the definition for `IAMAuthTokenRequest`.
-            return request;
+            return builder.build();
@@ -243,15 +243,11 @@ Below is the definition for `IAMAuthTokenRequest`.
-        private <T> void sign(SignableRequest<T> request, AWSCredentials credentials) {
-            AWS4Signer signer = new AWS4Signer();
-            signer.setRegionName(region);
-            signer.setServiceName(SERVICE_NAME);
-    
-            DateTime dateTime = DateTime.now();
-            dateTime = dateTime.plus(Duration.standardSeconds(TOKEN_EXPIRY_SECONDS));
-    
-            signer.presignRequest(request, credentials, dateTime.toDate());
-        }
-    
-        private static List<NameValuePair> toNamedValuePair(Map<String, List<String>> in) {
-            return in.entrySet().stream()
-                .map(e -> new BasicNameValuePair(e.getKey(), e.getValue().get(0)))
-                .collect(Collectors.toList());
+        private SdkHttpFullRequest sign(SdkHttpFullRequest request, AwsCredentials credentials) {
+            AwsV4HttpSigner signer = AwsV4HttpSigner.create();
+            SignedRequest signedRequest = signer.sign(r -> r.identity(credentials)
+                .request(request)
+                .putProperty(AwsV4HttpSigner.SERVICE_SIGNING_NAME, SERVICE_NAME)
+                .putProperty(AwsV4HttpSigner.REGION_NAME, region)
+                .putProperty(AwsV4HttpSigner.AUTH_LOCATION, AwsV4HttpSigner.AuthLocation.QUERY_STRING)
+                .putProperty(AwsV4HttpSigner.EXPIRATION_DURATION, TOKEN_EXPIRY_DURATION)
+                .build()
+            );
+            return (SdkHttpFullRequest) signedRequest.request();
@@ -273 +269 @@ The code below shows how to authenticate with ElastiCache using the IAM authenti
-    AWSCredentialsProvider awsCredentialsProvider = new DefaultAWSCredentialsProviderChain();
+    AwsCredentialsProvider awsCredentialsProvider = DefaultCredentialsProvider.create();
@@ -301 +297 @@ Below is an example of a Lettuce Redis OSS client that wraps the IAMAuthTokenReq
-        private final AWSCredentialsProvider awsCredentialsProvider;
+        private final AwsCredentialsProvider awsCredentialsProvider;
@@ -308 +304 @@ Below is an example of a Lettuce Redis OSS client that wraps the IAMAuthTokenReq
-            AWSCredentialsProvider awsCredentialsProvider) {
+            AwsCredentialsProvider awsCredentialsProvider) {
@@ -321 +317 @@ Below is an example of a Lettuce Redis OSS client that wraps the IAMAuthTokenReq
-            return iamAuthTokenRequest.toSignedRequestUri(awsCredentialsProvider.getCredentials());
+            return iamAuthTokenRequest.toSignedRequestUri(awsCredentialsProvider.resolveCredentials());