Redis 7.4 on AWS User Guide
Overview
This image runs Redis 7.4, the in memory key value store widely used as a database, cache, message broker and streaming engine. Redis 7.4 is the final open source release line under the BSD-3-Clause licence, the last release before Redis Inc. moved Redis to the SSPL/RSAL split licence, so the image is suitable for teams that need an unambiguously open source build of Redis.
Redis is the only workload on the image. The Redis server is installed from the official Redis package repository and runs under its package systemd unit. Authentication is enforced from the moment the server starts; on the first boot of your instance a one shot service generates a fresh, strong password for the default Redis user, applies it to the running server and writes it to /root/redis-credentials.txt, a file that only the root user can read. No shared or default Redis credential ships in the image.
The image also runs nginx on port 80 to serve a tiny static identification page. The identification page is used by the AWS Marketplace primary HTTP health check and is a convenient way to confirm from a web browser that the image is alive. It never embeds the rotated Redis password; the password is only available over SSH.
This is otherwise a headless image. You administer Redis over SSH with the redis-cli command line client.
Prerequisites
Before you deploy this image you need:
- An Amazon Web Services account where you can launch EC2 instances
- IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
- An EC2 key pair in the target Region for SSH access to the instance
- A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network and, optionally, inbound port 6379 from the application servers that need to reach Redis
- The AWS CLI (version 2) installed locally if you plan to deploy from the command line
Recommended instance type: m5.large (2 vCPU, 8 GB RAM) or larger. Redis is memory bound; size your instance to comfortably hold your working set in RAM with headroom for the operating system and persistence buffers.
Step 1: Launch the Instance from the AWS Marketplace
Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for Redis. Select the cloudimg listing and choose Select, then Continue on the subscription summary.
Pick an instance type of m5.large or larger. Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from your management network and port 6379 from the CIDRs that need to reach Redis. Port 80 is also worth opening for the static identification page if you want to confirm the image is alive from a web browser. Leave the root volume at the default size or larger.
Select Launch instance. First boot initialisation, which generates the requirepass and starts Redis, takes a few seconds after the instance state becomes Running and the status checks pass.
Step 2: Launch the Instance from the AWS CLI
The following block launches an instance from the cloudimg Redis Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens inbound port 22.
aws ec2 run-instances \
--image-id <ami-id> \
--instance-type m5.large \
--key-name <key-name> \
--subnet-id <subnet-id> \
--security-group-ids <security-group-id> \
--metadata-options HttpTokens=required \
--block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":20,"VolumeType":"gp3"}}]' \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=redis-01}]'
The command prints a JSON document on success. Note the instance ID, then retrieve its public address once it is running with aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[].Instances[].PublicIpAddress" --output text.
Step 3: Confirm the Image Is Alive in a Browser
While the instance is starting you can confirm the image is alive by opening http://<public-ip>/ in any web browser. The image serves a small static identification page on port 80 that names the product and tells you which file holds the rotated Redis password. The page never embeds the password.
If you do not want to expose port 80 to the public internet, restrict the security group rule to your management network or remove the rule entirely. The identification page is a convenience and not required by Redis itself.
Step 4: Connect over SSH
Connect over SSH with the key pair you selected and the public IP address from step 2. The SSH login user depends on the operating system of the AMI variant you launched:
| AMI variant | SSH login user |
|---|---|
| Redis 7.4 on Ubuntu 24.04 | ubuntu |
ssh <login-user>@<public-ip>
Wait until the instance has passed both EC2 status checks before connecting. The first boot service runs before the SSH daemon is ready, so Redis is initialised by the time you can log in.
Step 5: Retrieve the Generated Redis Password
The first boot service generates a fresh requirepass for this instance and writes it, with the connection details, to /root/redis-credentials.txt. The file is readable only by the root user. Display it from your SSH session:
sudo cat /root/redis-credentials.txt
The file looks like this, with a unique password on your instance:
# Redis 7.4 -- Per-Instance Credentials
# Generated at first boot: Sun May 24 23:45:14 UTC 2026
#
# Connect locally on the instance:
# redis-cli -a '<REDIS_PASSWORD>' --no-auth-warning PING # -> PONG
# redis-cli -a '<REDIS_PASSWORD>' --no-auth-warning SET hello world
# redis-cli -a '<REDIS_PASSWORD>' --no-auth-warning GET hello
#
# Connect from your VPC (the security group must allow 6379 from your CIDR):
# redis-cli -h <public-ip> -p 6379 -a '<REDIS_PASSWORD>' --no-auth-warning PING
#
redis_user=default
requirepass=<REDIS_PASSWORD>
REDIS_USER=default
REDIS_PASSWORD=<REDIS_PASSWORD>
LISTEN_PORT=6379
LISTEN_ADDRESS_LOCAL=127.0.0.1
LISTEN_ADDRESS_VPC=0.0.0.0
Keep the password somewhere safe. The same file is updated each time the first boot service runs, but the service only runs once per instance; subsequent boots leave it unchanged.
Step 6: Confirm the Redis Server Is Active and Listening
Both Redis and nginx run as systemd services. Confirm they are active:
sudo systemctl is-active redis-server.service
sudo systemctl is-active nginx.service
Expected output:
active
active
Confirm the listening sockets, Redis on TCP 6379 and nginx on TCP 80:
sudo ss -tln | grep -E ":(6379|80) "
Expected output:
LISTEN 0 511 0.0.0.0:6379 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
Check the installed Redis version with the bundled redis-cli:
redis-cli --version
Expected output:
redis-cli 7.4.9
Step 7: Open the Redis Command Line Client
Read the requirepass from /root/redis-credentials.txt and use it with redis-cli. The simplest one liner reads the password and stores it in a shell variable for the rest of the session:
PASS=$(sudo grep '^REDIS_PASSWORD=' /root/redis-credentials.txt | cut -d= -f2-)
redis-cli -a "$PASS" --no-auth-warning PING
Expected output:
PONG
The --no-auth-warning flag suppresses a harmless warning about passing the password on the command line; the password is also available in environment variables and in ~/.bashrc style configuration if you want to avoid it appearing in your shell history.
Step 8: Store and Read a Key
Store a key and read it back. The block below re reads the password so the snippet is self contained; in an interactive session the $PASS variable from the previous step is still in scope.
PASS=$(sudo grep '^REDIS_PASSWORD=' /root/redis-credentials.txt | cut -d= -f2-)
redis-cli -a "$PASS" --no-auth-warning SET mykey "hello cloudimg"
redis-cli -a "$PASS" --no-auth-warning GET mykey
Expected output:
OK
hello cloudimg
You can also drive Redis from any host that can reach port 6379 on the instance. From your workstation or application server:
redis-cli -h <public-ip> -p 6379 -a '<password>' --no-auth-warning PING
Make sure the security group on the instance allows inbound TCP 6379 from the source CIDR. Anonymous connections are refused by Redis regardless of the security group; authentication is enforced inside Redis itself.
Step 9: Inspect Redis Server State
The INFO command exposes a wealth of operational information. The server section shows the version, build identifier, mode and host kernel:
PASS=$(sudo grep '^REDIS_PASSWORD=' /root/redis-credentials.txt | cut -d= -f2-)
redis-cli -a "$PASS" --no-auth-warning INFO server | head -10
Expected output:
# Server
redis_version:7.4.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:74932331a9f87821
redis_mode:standalone
os:Linux 6.8.0-1009-aws x86_64
arch_bits:64
monotonic_clock:POSIX clock_gettime
multiplexing_api:epoll
Other useful sections are clients, memory, persistence, stats, replication and keyspace. Pass the section name as the argument to INFO, for example INFO memory.
Step 10: Persistence, Memory and Replication
The image enables RDB snapshot persistence with the upstream Redis defaults (save 3600 1, save 300 100, save 60 10000). Snapshots are written under /var/lib/redis. To enable append only file persistence for write heavy durability, set the following in /etc/redis/conf.d/cloudimg-persistence.conf and restart Redis:
appendonly yes
appendfsync everysec
sudo systemctl restart redis-server
No memory cap is set by default; Redis uses all available RAM. For a cache workload, set maxmemory and an eviction policy in /etc/redis/conf.d/cloudimg-memory.conf:
maxmemory 4gb
maxmemory-policy allkeys-lru
sudo systemctl restart redis-server
For replication, run a second instance from this AMI in the same VPC and security group, then configure the replica to follow the primary by adding a replicaof <primary-ip> 6379 line and the primary's requirepass in masterauth to /etc/redis/conf.d/cloudimg-replica.conf. Replication and Sentinel are covered in detail in the upstream Redis documentation at https://redis.io/docs/latest/operate/.
Step 11: Service Management
Redis and nginx are normal systemd units. Useful commands:
sudo systemctl status redis-server.service
sudo systemctl restart redis-server.service
sudo journalctl -u redis-server.service --since "1 hour ago"
The Redis configuration is at /etc/redis/redis.conf; cloudimg adds an include /etc/redis/conf.d/*.conf line so per instance overrides live in their own files and survive package upgrades. The first boot service writes /etc/redis/conf.d/cloudimg-auth.conf with the rotated requirepass.
If you change bind, port, or any other listener configuration, update the security group to match before restarting Redis.
Screenshots
Terminal output showing redis-server reporting a 7.4.x version string and the redis-server.service in an active running state.
A redis-cli session connecting with the rotated per-instance password and confirming the server is responsive with a PING that returns PONG.
A redis-cli session storing a key with SET and reading it back with GET, confirming the data path works end to end on the running image.
The INFO server section reporting the Redis version, uptime and process id on the running Redis 7.4 image.
Support
24/7 technical support is included with this image and is available by email and chat. Help with Redis deployment, persistence configuration, memory tuning, cache eviction policy choices, replication and operations is provided by cloudimg.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.