Access AWS ElastiCache from Localhost Using a Bastion Host and SSM

To securely access services like Redis (ElastiCache) in private subnets, a bastion host with SSM (Session Manager) can be set up to tunnel requests from localhost without exposing anything to the public internet. The infrastructure setup includes a bastion EC2 instance in a public subnet, a Redis ElastiCache cluster in private subnets, and security groups allowing limited access. Terraform resources are used to create the bastion host, IAM role for SSM, bastion host security group, ElastiCache Redis cluster, and Redis security group. The bastion host security group only allows egress to required ports, and the Redis security group only allows ingress from the bastion host. The ElastiCache Redis cluster is created with a specific node type, port, and subnet group. To access Redis from localhost, an SSM session is started using the AWS CLI, and then Redis is connected to using the bastion host. This setup allows secure access to Redis without exposing it to the public internet. Security best practices include restricting IPs or CIDRs, using private subnets, limiting egress/ingress traffic, preferring SSM over SSH, and removing public IPs once connected through VPC peering or VPNs. The setup is secure and allows for testing and inspection of the Redis cluster. By following these steps, you can securely access your Redis cluster in a private subnet.