Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ElastiCache Cluster Default Port

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC-012

Ensure that your Amazon ElastiCache clusters are not using their default endpoint ports (i.e. 6379 for Redis and 11211 for Memcached) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks. Changing the default port number for your cache clusters represents a basic security measure and does not completely secure the clusters from port scanning and network attacks. To implement advanced ElastiCache security, you should always look into security measures such as controlling clusters access through security groups and Network Access Control Lists (NACLs), and keeping the cache clusters within private subnets to completely isolate them from the Internet.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Running your Amazon ElastiCache clusters on the default ports represent a potential security issue. Replacing the default port numbers (6379 for Redis and 11211 for Memcached) with custom ones will add an extra layer of security, protecting your cache clusters from cyberattacks.


Audit

To determine if your Amazon ElastiCache cache clusters are using their default port, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 For Redis cache clusters:

  1. In the main navigation panel, under Resources, choose Redis caches to access the cache clusters created with Redis.
  2. Select the Redis cache cluster that you want to examine, choose Actions, and select Modify to access the cluster configuration settings.
  3. In the Cluster settings section, check the Port attribute value to identity the port number that cluster nodes accept connections on. If the Port value is 6379, the selected Redis cache cluster is using the default port for endpoint access, therefore, your Amazon ElastiCache cluster could be susceptible to attack.

04 For Memcached cache clusters:

  1. In the navigation panel, under Resources, choose Memcached caches to access the cache clusters created with Memcached.
  2. Select the Memcached cache cluster that you want to examine, choose Actions, and select Modify to access the cluster configuration settings.
  3. In the Cluster settings section, check the Port attribute value to identify the port number configured for cluster endpoint access. If the Port value is 11211, the selected Memcached cache cluster is using the default port for endpoint access, therefore, your Amazon ElastiCache cluster might be vulnerable to attacks.

05 Repeat steps no. 4 and 5 for each Amazon ElastiCache cluster provisioned within the current AWS region.

06 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 For Redis cache clusters:

  1. Run describe-replication-groups command (OSX/Linux/UNIX) to list the identifier (name) of each Redis replication group available in the selected AWS cloud region:
    aws elasticache describe-replication-groups
      --region us-east-1
      --output table
      --query 'ReplicationGroups[*].ReplicationGroupId'
    
  2. The command output should return a table with the requested resource names:
    ----------------------------------
    |   DescribeReplicationGroups    |
    +--------------------------------+
    |  cc-production-redis-cluster   |
    |  cc-webapp-redis-cache-cluster |
    +--------------------------------+
    
  3. Run again describe-replication-groups command (OSX/Linux/UNIX) with the name of the replication group that you want to examine as the identifier parameter and custom output filters to describe the port number used for endpoint access by the selected replication group:
    aws elasticache describe-replication-groups
      --region us-east-1
      --replication-group-id cc-production-redis-cluster
      --query 'ReplicationGroups[*].NodeGroups[*].PrimaryEndpoint.Port[]'
    
  4. The command output should return the requested port number:
    [
    	6379
    ]
    

    If the describe-replication-groups command output returns 6379 for the port number, as shown in the output example above, the selected Redis cache cluster is using the default port for endpoint access, therefore, your Amazon ElastiCache cluster could be susceptible to attack.

02 For Memcached cache clusters:

  1. Run describe-cache-clusters command (OSX/Linux/UNIX) to list the name of each Memcached cache cluster available in the selected AWS cloud region:
    aws elasticache describe-cache-clusters
      --region us-east-1
      --output table
      --query 'CacheClusters[?(Engine==`memcached`)].CacheClusterId'
    
  2. The command output should return a table with the requested cluster names:
    -------------------------------------
    |       DescribeCacheClusters       |
    +-----------------------------------+
    |  cc-production-memcache-cluster   |
    |  cc-backend-app-memcache-cluster  |
    +-----------------------------------+
    
  3. Run describe-cache-clusters command (OSX/Linux/UNIX) with the name of the Memcached cache cluster that you want to examine as the identifier parameter, to describe the port number used for endpoint access by the selected cache cluster:
    aws elasticache describe-cache-clusters
      --region us-east-1
      --cache-cluster-id cc-production-memcache-cluster
      --query 'CacheClusters[*].ConfigurationEndpoint.Port'
    
  4. The command output should return the cluster endpoint port number:
    [
    	11211
    ]
    

    If the describe-replication-groups command output returns 11211 for the port number, as shown in the output example above, the selected Redis cache cluster is using the default port for endpoint access, therefore, your Amazon ElastiCache cluster might be vulnerable to attacks.

03 Repeat steps no. 1 and 2 for each Amazon ElastiCache cluster provisioned in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Audit process for other regions.

Remediation / Resolution

To change the default port number for your Amazon ElastiCache clusters, you must re-create the cache clusters with a custom port number. To re-create an Amazon ElastiCache cache cluster, perform the following operations:

Case A: Memcached Cache Clusters

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Configure Default Port Number for Memcached Cache Clusters",
	"Resources": {
		"MemcachedCacheCluster": {
			"Type": "AWS::ElastiCache::CacheCluster",
			"Properties": {
				"ClusterName": "cc-new-memcached-cluster",
				"Engine": "memcached",
				"EngineVersion": "1.6.6",
				"NumCacheNodes": "2",
				"CacheNodeType": "cache.t2.micro",
				"PreferredAvailabilityZone": "us-east-1b",
				"VpcSecurityGroupIds": ["sg-0abcd1234abcd1234"],
				"Port": 13611
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure Default Port Number for Memcached Cache Clusters
	Resources:
		MemcachedCacheCluster:
		Type: AWS::ElastiCache::CacheCluster
		Properties:
			ClusterName: cc-new-memcached-cluster
			Engine: memcached
			EngineVersion: 1.6.6
			NumCacheNodes: '2'
			CacheNodeType: cache.t2.micro
			PreferredAvailabilityZone: us-east-1b
			VpcSecurityGroupIds:
			- sg-0abcd1234abcd1234
			Port: 13611

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_elasticache_cluster" "memcached-cache-cluster" {

	cluster_id           = "cc-new-memcached-cluster"
	engine               = "memcached"
	engine_version       = "1.6.6"
	node_type            = "cache.t2.micro"
	num_cache_nodes      = 2
	availability_zone    = "us-east-1b"
	parameter_group_name = "default.memcached1.6"
	security_group_ids   = ["sg-0abcd1234abcd1234"]

	# Configure Default Port Number for Memcached Cache Clusters
	port                 = 13611

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

03 In the main navigation panel, under Resources, select Memcached caches, and choose Create Memcached cache to create a new Memcached cache cluster.

  1. For Step 1 Cluster settings, perform the following actions:
    • For Choose a cluster creation method, set Deployment option to Design your own cache and Standard create.
    • For Location select AWS Cloud.
    • For Cluster info, provide a unique name for the new cache cluster in the Name box. (Optional) Enter a short description in the Description - optional box.
    • For Cluster settings, select the Memcached engine version from the Engine version dropdown list, choose the right parameter group from the Parameter groups list, select the appropriate Node type (must match the node type configured for the source cluster), and enter the number of nodes to provision in the Number of nodes box. Replace the default endpoint port number available in the Port box with a custom port number (e.g. 13611).
    • For Connectivity, choose the IP version(s) that this cluster will support from the Network type dropdown list and select an existing VPC subnet group from the Subnet groups list. To create a new subnet group, choose Create a new subnet group and provide the required VPC information.
    • For Availability Zone placements, you can configure placements for the supported Availability Zones (AZs).
    • Choose Next to continue the setup process.
  2. For Step 2 Advanced settings, perform the following operations:
    • For Security, check Enable under Encryption in transit to enable encryption in transit, and choose Manage under Selected security groups to select the security groups required to control network access to your cluster.
    • For Maintenance, set Maintenance window, and choose an SNS topic for alert notifications from the Topic for Amazon SNS notification dropdown list.
    • (Optional) For Tags, you can create tags to search and filter your cache clusters or track your AWS costs.
    • Choose Next to continue the setup.
  3. For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch your new Memcached cache cluster.

04 (Optional) For cost optimization, you can delete the source Memcached cache cluster. To remove the source cluster (i.e. the one with the default port number) from your AWS cloud account, perform the following actions:

  1. In the main navigation panel, under Resources, choose Memcached caches.
  2. Select the Memcached cache cluster that you want to remove, choose Actions, and select Delete.
  3. In the confirmation box, choose whether to create a final backup for the source cluster, type the name of the selected cluster in the required text box, then choose Delete to confirm the cluster removal.

05 Repeat steps no. 3 – 5 for each Memcached cache cluster that you want to relaunch, available within the current AWS region.

06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Re-create your Memcached cache cluster with the create-cache-cluster command (OSX/Linux/UNIX), using a port number different than 11211 for the cluster endpoint port. Use the --port command parameter to set your own custom port number:

aws elasticache create-cache-cluster
  --region us-east-1
  --cache-cluster-id "cc-new-production-memcache-cluster"
  --az-mode "single-az"
  --preferred-availability-zone "us-east-1a"
  --num-cache-nodes 2
  --cache-node-type "cache.r5.large"
  --engine "memcached"
  --engine-version "1.6.22"
  --security-group-ids "sg-0abcd1234abcd1234"
  --cache-subnet-group-name "cc-memcache-cluster-sg"
  --port 13611

02 The command output should return the information available for the new Memcached cache cluster:

{
	"CacheCluster": {
		"CacheClusterId": "cc-new-production-memcache-cluster",
		"CacheNodeType": "cache.r5.large",
		"Engine": "memcached",
		"EngineVersion": "1.6.22",
		"CacheClusterStatus": "creating",
		"NumCacheNodes": 2,
		"PreferredAvailabilityZone": "us-east-1a",

		...

		"PendingModifiedValues": {},
		"CacheSecurityGroups": [],
		"TransitEncryptionEnabled": true,
		"AtRestEncryptionEnabled": false,
		"ARN": "arn:aws:elasticache:us-east-1:123456789012:cluster:cc-new-production-memcache-cluster",
		"ReplicationGroupLogDeliveryEnabled": false,
		"LogDeliveryConfigurations": []
	}
}

03 (Optional) To remove the source (non-compliant) Memcached cache cluster from your AWS cloud account, run delete-cache-cluster command (OSX/Linux/UNIX):

aws elasticache delete-cache-cluster
  --region us-east-1
  --cache-cluster-id cc-production-memcache-cluster

04 The output should return the information available for the deleted Memcached cache cluster:

{
	"CacheCluster": {
		"CacheClusterId": "cc-production-memcache-cluster",
		"CacheNodeType": "cache.r5.large",
		"Engine": "memcached",

		...

		"TransitEncryptionEnabled": true,
		"AtRestEncryptionEnabled": false,
		"ReplicationGroupLogDeliveryEnabled": false
	}
}

05 Repeat steps no. 1 – 4 for each Memcached cache cluster that you want to re-create, available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Remediation process for other regions.

Case B: Redis Cache Clusters

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Configure Default Port Number for Redis Cache Clusters",
	"Resources": {
		"RedisReplicationGroup": {
			"Type": "AWS::ElastiCache::ReplicationGroup",
			"Properties": {
				"ReplicationGroupId": "cc-new-redis-cache-cluster",
				"ReplicationGroupDescription": "Redis Cache Replication Group with Non-Default Port Number",
				"Engine": "redis",
				"EngineVersion": "6.2",
				"NumCacheClusters": "2",
				"CacheNodeType": "cache.t2.micro",
				"CacheParameterGroupName": "default.redis6.x",
				"Port": 3560
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure Default Port Number for Redis Cache Clusters
	Resources:
		RedisReplicationGroup:
		Type: AWS::ElastiCache::ReplicationGroup
		Properties:
			ReplicationGroupId: cc-new-redis-cache-cluster
			ReplicationGroupDescription: Redis Cache Replication Group with Non-Default
			Port Number
			Engine: redis
			EngineVersion: '6.2'
			NumCacheClusters: '2'
			CacheNodeType: cache.t2.micro
			CacheParameterGroupName: default.redis6.x
			Port: 3560

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_elasticache_replication_group" "redis-cache-cluster" {

	replication_group_id        = "cc-new-redis-cache-cluster1"
	description                 = "Redis Cache Replication Group with Non-Default Port Number"
	engine                      = "redis"
	engine_version              = "6.x"
	node_type                   = "cache.t2.micro"
	num_cache_clusters          = 2
	parameter_group_name        = "default.redis6.x"

	# Configure Default Port Number for Redis Cache Clusters
	port                        = 3560

}

Using AWS Console

01 Sign in to the AWS Management Console.

01 Navigate to Amazon ElastiCache console available at https://console.aws.amazon.com/elasticache/.

01 In the main navigation panel, under Resources, select Redis caches, and choose Create Redis cache to create a new Redis cache cluster.

  1. For Step 1 Cluster settings, perform the following actions:
    • For Configuration, set Deployment option to Design your own cache and Creation method to Cluster cache.
    • For Cluster mode, choose the cluster mode required for your application.
    • For Cluster info, provide a unique name for the new cache cluster in the Name box. (Optional) Enter a short description in the Description - optional box.
    • For Location, choose AWS Cloud. Choose whether or not to deploy the new cluster with a multi-AZ and/or failover configuration.
    • For Cluster settings, select the Redis engine version from the Engine version dropdown list, choose the right parameter group from the Parameter groups list, select the appropriate Node type (must match the node type configured for the source cluster), and enter the number of replicas to provision in the Number of replicas box. Replace the default endpoint port number available in the Port box with a custom port number (e.g. 3560).
    • For Connectivity, choose the IP version(s) that this cluster will support from the Network type dropdown list and select an existing VPC subnet group from the Subnet groups list. To create a new subnet group, choose Create a new subnet group and provide the required VPC information.
    • For Availability Zone placements, you can configure placements for the supported Availability Zones (AZs).
    • Choose Next to continue the setup process.
  2. For Step 2 Advanced settings, perform the following operations:
    • For Security, check Enable under Encryption at rest and select an encryption key to enable encryption at rest, check Enable under Encryption in transit to enable encryption in transit, and choose Manage under Selected security groups to select the security groups necessary for controlling network access to your cluster.
    • For Backup, check Enable automatic backups to enable automatic backups. Configure the Backup retention period and preferred Backup window.
    • For Maintenance, set Maintenance window, check Enable under Auto upgrade minor versions to enable auto minor version upgrades, and choose an SNS topic for alert notifications from the Topic for Amazon SNS notification list.
    • For Logs, check Enable under Slow logs and Engine logs to enable Redis engine logs and slow logs for teh new cluster. Choose the required Log format and Log destination type for each log type.
    • (Optional) For Tags, you can create tags to search and filter your cache clusters or track your AWS costs.
    • Choose Next to continue the setup.
  3. For Step 3 Review and create, review the cluster configuration settings, then choose Create to launch your new Redis cache cluster.

01 (Optional) For cost optimization, you can delete the source Redis cache cluster. To remove the source cluster (i.e. the one with the default port number) from your AWS cloud account, perform the following actions:

  1. In the main navigation panel, under Resources, choose Redis caches.
  2. Select the Redis cache cluster that you want to remove, choose Actions, and select Delete.
  3. In the confirmation box, choose whether to create a final backup for the source cluster, type the name of the selected cluster in the required text box, then choose Delete to confirm the cluster removal.

01 Repeat steps no. 3 and 4 for each Redis cache cluster that you want to relaunch, available within the current AWS region.

01 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Re-create your Redis replication group with the create-replication-group command (OSX/Linux/UNIX), using a port number different than 6379 for the cluster endpoint port. Use the --port command parameter to set your own custom port number:

aws elasticache create-replication-group
  --region us-east-1
  --replication-group-id "cc-new-production-redis-cluster"
  --replication-group-description "Redis Cache Replication Group with Non-Default Port Number"
  --engine "redis"
  --num-cache-clusters 2
  --cache-node-type "cache.r5.large"
  --no-multi-az-enabled
  --cache-subnet-group-name "cc-redis-cache-sg"
  --port 3560

02 The command output should return the information available for the new Redis cache cluster:

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-new-production-redis-cluster",
		"Description": "Redis Cache Replication Group with Non-Default Port Number",
		"GlobalReplicationGroupInfo": {},
		"Status": "creating",
		"PendingModifiedValues": {},
		"MemberClusters": [
			"cc-new-production-redis-cluster-001",
			"cc-new-production-redis-cluster-002"
		],

		...

		"SnapshotRetentionLimit": 0,
		"SnapshotWindow": "06:00-07:00",
		"ClusterEnabled": false,
		"CacheNodeType": "cache.r5.large",
		"TransitEncryptionEnabled": false,
		"AtRestEncryptionEnabled": false,
		"ARN": "arn:aws:elasticache:us-east-1:123456789012:replicationgroup:cc-new-production-redis-cluster",
		"LogDeliveryConfigurations": [],
		"DataTiering": "disabled"
	}
}

03 (Optional) To remove the source (non-compliant) Redis cache cluster from your AWS cloud account, run delete-replication-group command (OSX/Linux/UNIX):

aws elasticache delete-replication-group
  --region us-east-1
  --replication-group-id cc-production-redis-cluster

04 The output should return the information available for the deleted Redis cache cluster:

{
	"ReplicationGroup": {
		"ReplicationGroupId": "cc-production-redis-cluster",
		"Description": " ",
		"GlobalReplicationGroupInfo": {},
		"Status": "deleting",
		"PendingModifiedValues": {},
		"AutomaticFailover": "disabled",

		...

		"SnapshotRetentionLimit": 0,
		"SnapshotWindow": "05:00-06:00",
		"TransitEncryptionEnabled": false,
		"AtRestEncryptionEnabled": false,
		"LogDeliveryConfigurations": [],
		"DataTiering": "disabled"
	}
}

05 Repeat steps no. 1 – 4 for each Redis cache cluster that you want to relaunch, available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Remediation process for other regions.

References

Publication date Nov 1, 2017