[Deprecations] AWS Elasticache Security Group Rules #5334
Merged
+33
−10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ElastiCache cache security groups are only used with EC2-Classic deployments. AWS officially retired EC2-Classic and no longer supports launching ElastiCache clusters in EC2-Classic networking environments. All modern ElastiCache deployments run in a VPC and rely on standard EC2 security groups (ec2.amazonaws.com APIs) rather than CacheSecurityGroup APIs (elasticache.amazonaws.com). This behavior is covered by this existing rule: - https://github.com/elastic/detection-rules/blob/fe642a879a412db71492f5d776e1e3338a531266/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml These rules no longer match any behavior in supported AWS environments and so should be deprecated. This PR: - Marks both rules with `Deprecated - ` title to start deprecation process - Updates rule description to clarify that they are only relevant for historical EC2-Classic log analysis. - Recommends relying on the existing EC2 security group rule for network-control changes impacting ElastiCache in VPC-based deployments. I've tested this scenario by creating an Elasticache cluster, creating, and modifying security group rules. Below is a screenshot verifying that the activity is indeed captured by the normal EC2/VPC security group rule. There were no alerts triggered for the "Elasticache Security Group" Rules
imays11
requested review from
Aegrah,
shashank-elastic,
terrancedejesus and
w0rk3r
imays11
added
Integration: AWS
Contributor
Rule: Deprecation - GuidelinesThese guidelines serve as a reminder set of considerations when recommending the deprecation of a rule. Documentation and Context
Rule Metadata Checks
Testing and Validation
|
Aegrah
approved these changes
Nov 19, 2025
shashank-elastic
approved these changes
Nov 19, 2025
terrancedejesus
approved these changes
Nov 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
Summary - What I changed
ElastiCache cache security groups are only used with EC2-Classic deployments. AWS officially retired EC2-Classic and no longer supports launching ElastiCache clusters in EC2-Classic networking environments.
All modern ElastiCache deployments run in a VPC and rely on standard EC2 security groups (ec2.amazonaws.com APIs) rather than CacheSecurityGroup APIs (elasticache.amazonaws.com).
Therefore, security group behavior for Elasticache is covered by this existing rule:
These Elasticache Security Group rules no longer match any behavior in supported AWS environments and should be deprecated. This PR:
Deprecated -title to start deprecation processHow To Test
I've tested this scenario by creating an Elasticache cluster, creating and modifying security group rules. Below is a screenshot verifying that the activity is indeed captured by the existing EC2/VPC security group rule. There were no alerts triggered for the "Elasticache Security Group" Rules because those APIs are no longer used in modern deployments.