Migrating from ElastiCache to Redis Cloud via S3 Bucket

Goal

This article instructs you to migrate to Redis Cloud from ElastiCache using an S3 bucket.

Solution

Step 1. Create S3 bucket and grant ElastiCache access

1. Follow AWS' Exporting a backup tutorial, with special attention to enabling ACLs and adding the Canonical Id for the ElastiCache grantee
2. Choose the Permissions tab, and under Permissions, choose Access Control List (ACL) and then choose Edit.
3. Add grantee Canonical ID 540804c33a284a299d2547575ce1010f2312ef3da9b3a053c8bc45bf233e4353 with the following options:
   • Objects: List, Write
   • Bucket ACL: Read, Write

This will ensure that ElastiCache has access to export backups to your bucket Resulting backup objects will be created with a unique external AWS account Owner: aws-scs-s3-readonly

Step 2. Export all ElastiCache backups to S3

I found this easiest to do by using the AWS Console as directed in the "Exporting an ElastiCache backup (Console)" dropdown of Export an ElastiCache backup

You can use the AWS Console or CLI with an IAM caller that has sufficient permissions

Example required IAM permissions provided by AWS

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListAllMyBuckets",
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:ListBucket"
        ],
        "Resource": "arn:aws:s3:::*"
    }]
}

As you might notice, for ElastiCache backup objects, the object Owner will always be aws-scs-s3-readonly and the Canonical ID for the ElastiCache grantee refers to an external account

Step 3. Add Redis Cloud bucket policy to grant Redis Cloud access to your bucket

1. Use the Services menu to locate and select Storage > S3. This takes you to the Amazon S3 admin panel.
2. Use the Buckets list to locate and select your bucket. When the settings appear, select the Permissions tab, locate the Bucket policy section, and click Edit.
3. If there is no existing bucket policy, add the following JSON bucket policy. Replace <UNIQUE-BUCKET-NAME> with the name of your bucket.

{
    "Version": "2012-10-17",
    "Id": "MyBucketPolicy",
    "Statement": [
        {
            "Sid": "RedisCloudBackupsAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::168085023892:root"
            },
            "Action": [
                "s3:PutObject",
                "s3:getObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::UNIQUE-BUCKET-NAME/*"
        }
    ]
}

If a bucket policy already exists, add the following JSON policy statement to the list of statements. Replace UNIQUE-BUCKET-NAME with the name of your bucket.

{
    "Sid": "RedisCloudBackupsAccess",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::168085023892:root"
    },
    "Action": [
        "s3:PutObject",
        "s3:getObject",
        "s3:DeleteObject"
    ],
    "Resource": "arn:aws:s3:::UNIQUE-BUCKET-NAME/*"
}

Be sure to also account for the key policy requirements if the bucket is encrypted using SSE-KMS

If the bucket is encrypted using SSE-KMS, add the following statement to your key policy. If you do not have a key policy, see Creating a key policy. Replace <UNIQUE-BUCKET-NAME> with the name of your bucket and <KMS-KEY-ARN> with your key's Amazon Resource Name (ARN).

{
    "Sid": "Allow use of the key",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::168085023892:root"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": [
        "arn:aws:s3:::<UNIQUE-BUCKET-NAME>/*",
        "<KMS-KEY-ARN"
    ]
}

Step 4. Remove ElastiCache grantee and disable ACLs on the bucket

Our bucket policy will NOT APPLY to the ElastiCache backup objects as long as ACLs are enabled and the objects are owned by aws-scs-s3-readonly

The bucket policy, written in JSON, provides access to the objects stored in the bucket. Bucket policies don't apply to objects owned by other accounts.

By disabling ACLs, ownership of all objects will revert to the bucket owner and ensure our bucket policy applies

Step 5. Import objects to Redis Cloud DB as usual

1. In the Redis Cloud console, select the target database from the database list.
2. In the Danger Zone, select Import.
3. Enter the details for the RDB file:
   1. Source type - Select AWS S3.
   2. Source path - Enter the URL for the RDB file: s3://bucketname/[path/]filename.rdb[.gz]
      • bucketname - Name of the S3 bucket
      • path - Path to the file\, if necessary
      • filename - Filename of the RDB file\, including the .gz suffix if the file is compressed
4. Select Add source to add another RDB file for sharded databases with multiple RDB files.
5. Select Import.

References

• Create an Amazon S3 bucket
• Export an ElastiCache backup
• Import data into a database via AWS S3