ElastiCache.7: A cluster uses the default subnet group

What does AWS Security Hub ElastiCache.7 check?

ElastiCache.7 fails when a cluster uses the subnet group named `default` rather than a purpose-built custom one. Skip the subnet-group step at launch and AWS silently creates the cluster on a default group from the default VPC.

Why does ElastiCache.7 matter?

The default VPC's subnets are attached to public route tables unless you have changed them, so a cluster on the default subnet group can end up one security-group rule away from the open internet. Teams routinely discover during their first audit that a cache they assumed was internal had been in default networking for years — not because anyone chose it, but because nobody chose anything.

How do I fix ElastiCache.7?

1. List clusters and check the subnet group name to find any on `default`.
2. Create a custom subnet group built from private subnets across multiple AZs.
3. Because you cannot change a running cluster's subnet group in place, recreate the cluster (or replication group) on the custom group.
4. Default new clusters to a custom subnet group in your IaC, and add a Config rule to catch regressions.

# Find all clusters on the default subnet group, across the account.
aws elasticache describe-cache-clusters \
  --query "CacheClusters[?CacheSubnetGroupName=='default'].[CacheClusterId,Engine,CacheClusterStatus]" \
  --output table

# Create the compliant custom subnet group from private subnets (>= 2 AZs).
aws elasticache create-cache-subnet-group \
  --cache-subnet-group-name app-private-sng \
  --cache-subnet-group-description 'Private subnets for app data caches' \
  --subnet-ids subnet-0aa11bb22 subnet-0cc33dd44 subnet-0ee55ff66

# Verify which clusters still need migrating after each batch.
aws elasticache describe-cache-clusters \
  --query "length(CacheClusters[?CacheSubnetGroupName=='default'])"