ElastiCache Using Default Port
- Query id: 323db967-c68e-44e6-916c-a777f95af34b
- Query name: ElastiCache Using Default Port
- Platform: CloudFormation
- Severity: Low
- Category: Networking and Firewall
- URL: Github
Description¶
ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
BasicReplicationGroup:
Type: 'AWS::ElastiCache::ReplicationGroup'
Properties:
AutomaticFailoverEnabled: true
CacheNodeType: cache.r3.large
CacheSubnetGroupName: !Ref CacheSubnetGroup
Engine: redis
EngineVersion: '3.2'
NumNodeGroups: '2'
ReplicasPerNodeGroup: '3'
Port: 6379
PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
ReplicationGroupDescription: A sample replication group
SecurityGroupIds:
- !Ref ReplicationGroupSG
SnapshotRetentionLimit: 5
SnapshotWindow: '10:00-12:00'
Positive test num. 2 - yaml file
Resources:
BasicReplicationGroup:
Type: 'AWS::ElastiCache::ReplicationGroup'
Properties:
AutomaticFailoverEnabled: true
CacheNodeType: cache.r3.large
CacheSubnetGroupName: !Ref CacheSubnetGroup
Engine: memcached
EngineVersion: '3.2'
NumNodeGroups: '2'
ReplicasPerNodeGroup: '3'
Port: 11211
PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
ReplicationGroupDescription: A sample replication group
SecurityGroupIds:
- !Ref ReplicationGroupSG
SnapshotRetentionLimit: 5
SnapshotWindow: '10:00-12:00'
Positive test num. 3 - json file
{
"Resources": {
"BasicReplicationGroup": {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"AutomaticFailoverEnabled": true,
"CacheNodeType": "cache.r3.large",
"CacheSubnetGroupName": {
"Ref": "CacheSubnetGroup"
},
"Engine": "redis",
"EngineVersion": "3.2",
"NumNodeGroups": "2",
"ReplicasPerNodeGroup": "3",
"Port": 6379,
"PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
"ReplicationGroupDescription": "A sample replication group",
"SecurityGroupIds": [
{
"Ref": "ReplicationGroupSG"
}
],
"SnapshotRetentionLimit": 5,
"SnapshotWindow": "10:00-12:00"
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"BasicReplicationGroup": {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"AutomaticFailoverEnabled": true,
"CacheNodeType": "cache.r3.large",
"CacheSubnetGroupName": {
"Ref": "CacheSubnetGroup"
},
"Engine": "memcached",
"EngineVersion": "3.2",
"NumNodeGroups": "2",
"ReplicasPerNodeGroup": "3",
"Port": 11211,
"PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
"ReplicationGroupDescription": "A sample replication group",
"SecurityGroupIds": [
{
"Ref": "ReplicationGroupSG"
}
],
"SnapshotRetentionLimit": 5,
"SnapshotWindow": "10:00-12:00"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
BasicReplicationGroup:
Type: 'AWS::ElastiCache::ReplicationGroup'
Properties:
AutomaticFailoverEnabled: true
CacheNodeType: cache.r3.large
CacheSubnetGroupName: !Ref CacheSubnetGroup
Engine: redis
EngineVersion: '3.2'
NumNodeGroups: '2'
ReplicasPerNodeGroup: '3'
Port: 6380
PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
ReplicationGroupDescription: A sample replication group
SecurityGroupIds:
- !Ref ReplicationGroupSG
SnapshotRetentionLimit: 5
SnapshotWindow: '10:00-12:00'
Negative test num. 2 - yaml file
Resources:
BasicReplicationGroup:
Type: 'AWS::ElastiCache::ReplicationGroup'
Properties:
AutomaticFailoverEnabled: true
CacheNodeType: cache.r3.large
CacheSubnetGroupName: !Ref CacheSubnetGroup
Engine: memcached
EngineVersion: '3.2'
NumNodeGroups: '2'
ReplicasPerNodeGroup: '3'
Port: 11212
PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
ReplicationGroupDescription: A sample replication group
SecurityGroupIds:
- !Ref ReplicationGroupSG
SnapshotRetentionLimit: 5
SnapshotWindow: '10:00-12:00'
Negative test num. 3 - json file
{
"Resources": {
"BasicReplicationGroup": {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"AutomaticFailoverEnabled": true,
"CacheNodeType": "cache.r3.large",
"CacheSubnetGroupName": {
"Ref": "CacheSubnetGroup"
},
"Engine": "redis",
"EngineVersion": "3.2",
"NumNodeGroups": "2",
"ReplicasPerNodeGroup": "3",
"Port": 6380,
"PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
"ReplicationGroupDescription": "A sample replication group",
"SecurityGroupIds": [
{
"Ref": "ReplicationGroupSG"
}
],
"SnapshotRetentionLimit": 5,
"SnapshotWindow": "10:00-12:00"
}
}
}
}
Negative test num. 4 - json file
{
"Resources": {
"BasicReplicationGroup": {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"AutomaticFailoverEnabled": true,
"CacheNodeType": "cache.r3.large",
"CacheSubnetGroupName": {
"Ref": "CacheSubnetGroup"
},
"Engine": "memcached",
"EngineVersion": "3.2",
"NumNodeGroups": "2",
"ReplicasPerNodeGroup": "3",
"Port": 11212,
"PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
"ReplicationGroupDescription": "A sample replication group",
"SecurityGroupIds": [
{
"Ref": "ReplicationGroupSG"
}
],
"SnapshotRetentionLimit": 5,
"SnapshotWindow": "10:00-12:00"
}
}
}
}