ElastiCache Using Default Port

  • Query id: 7cc6c791-5f68-4816-a564-b9b699f9d26e
  • Query name: ElastiCache Using Default Port
  • Platform: Ansible
  • Severity: Low
  • Category: Networking and Firewall
  • CWE: Ongoing
  • URL: Github

Description

ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Basic example
  community.aws.elasticache:
    name: "test-please-delete"
    state: present
    engine: memcached
    cache_engine_version: 1.4.14
    node_type: cache.m1.small
    num_nodes: 1
    cache_port: 11211
    cache_subnet_group: default
    zone: us-east-1d
Positive test num. 2 - yaml file
- name: Basic example2
  community.aws.elasticache:
    name: "test-please-delete"
    state: present
    engine: redis
    cache_engine_version: 1.4.14
    node_type: cache.m1.small
    num_nodes: 1
    cache_port: 6379
    cache_subnet_group: default
    zone: us-east-1d

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Basic example2
  community.aws.elasticache:
    name: "test-please-delete"
    state: present
    engine: memcached
    cache_engine_version: 1.4.14
    node_type: cache.m1.small
    num_nodes: 1
    cache_port: 11212
    cache_subnet_group: default
    zone: us-east-1d
Negative test num. 2 - yaml file
- name: Basic example2
  community.aws.elasticache:
    name: "test-please-delete"
    state: present
    engine: redis
    cache_engine_version: 1.4.14
    node_type: cache.m1.small
    num_nodes: 1
    cache_port: 6380
    cache_subnet_group: default
    zone: us-east-1d