This rule monitors the modification of a cache security group. A cache security group is a virtual firewall that controls access to Amazon ElastiCache clusters. It defines inbound and outbound network traffic rules, allowing you to specify which IP addresses or security groups can access the cache clusters and what ports they can use for communication. Impact Cache security group modifications can lead to potential unauthorized access, or changes in network connectivity, impacting cache security and availability. Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic: TA0005 MITRE Technique: T1098

This rule detects deletion of a cache security group. Impact This alert indicates the deletion of a cache security group in Amazon ElastiCache, potentially leading to the removal of security controls for associated cache clusters, allowing unauthorized access and security vulnerabilities. Mitigation Investigate the reason for the security group deletion, ensure proper access controls and permissions are in place, and promptly address any unauthorized activities or misconfigurations. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert triggers when a single user attempts more than 10 cache cluster creations within a 5-minute interval. Impact This alert indicates an excessive cache cluster creations, potentially suggesting misconfigurations, operational issues, or security risks within the Amazon ElastiCache environment.n Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic: TA0007 MITRE Technique: T1082

This rule monitors the update of a cache cluster. Impact Cache cluster modifications can impact cache performance, data integrity, and application availability, potentially leading to unintended consequences. Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic: TA0005 MITRE Technique: T1098

This rule detects deletion of a cache cluster. Impact Cache cluster deletion can result in data loss, service disruption, and potential impact on applications reliant on the cache, affecting performance and availability. Mitigation Investigate the reason for the cache cluster deletion, ensure proper access controls and permissions are in place, and promptly address any unauthorized activities or misconfigurations. MITRE Tactic: TA0040 MITRE Technique: T1485

This rule detects deletion of a cache snapshot. Impact Cache snapshot deletion can lead to data loss, compromised disaster recovery, and potential disruptions in data availability and restoration. Mitigation Investigate the snapshot deletion event, enforce stringent access controls for snapshot management and regularly review and monitor snapshot activities. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert triggers when a single user attempts more than 10 cache snapshot deletions within a 5-minute interval. Impact This alert indicates an excessive cache snapshot deletions which can indicate potential brute force or unauthorized access attempts. Mitigation Investigate the reason for the high volume of cache snapshot deletion, ensure proper access controls and permissions are in place, and promptly address any unauthorized activities or misconfigurations. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert triggers when a single user attempts more than 10 cache cluster deletions within a 5-minute interval. Impact This alert indicates an abnormal pattern of excessive cache cluster deletions, which can potentially disrupt data management operations, cause loss of important metadata, and may suggest unauthorized or malicious activity. Mitigation Investigate the reason for the high volume of cache cluster deletion, ensure proper access controls and permissions are in place, and promptly address any unauthorized activities or misconfigurations. MITRE Tactic: TA0040 MITRE Technique: T1485