ElastiCache Using Default Port

  • Query id: 323db967-c68e-44e6-916c-a777f95af34b
  • Query name: ElastiCache Using Default Port
  • Platform: CloudFormation
  • Severity: Low
  • Category: Networking and Firewall
  • CWE: Ongoing
  • URL: Github

Description

ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  BasicReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      AutomaticFailoverEnabled: true    
      CacheNodeType: cache.r3.large
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      Engine: redis
      EngineVersion: '3.2'
      NumNodeGroups: '2'
      ReplicasPerNodeGroup: '3'
      Port: 6379
      PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
      ReplicationGroupDescription: A sample replication group
      SecurityGroupIds:
        - !Ref ReplicationGroupSG
      SnapshotRetentionLimit: 5
      SnapshotWindow: '10:00-12:00' 
Positive test num. 2 - yaml file
Resources:
  BasicReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      AutomaticFailoverEnabled: true    
      CacheNodeType: cache.r3.large
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      Engine: memcached
      EngineVersion: '3.2'
      NumNodeGroups: '2'
      ReplicasPerNodeGroup: '3'
      Port: 11211
      PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
      ReplicationGroupDescription: A sample replication group
      SecurityGroupIds:
        - !Ref ReplicationGroupSG
      SnapshotRetentionLimit: 5
      SnapshotWindow: '10:00-12:00' 
Positive test num. 3 - json file
{
  "Resources": {
    "BasicReplicationGroup": {
      "Type": "AWS::ElastiCache::ReplicationGroup",
      "Properties": {
          "AutomaticFailoverEnabled": true,            
          "CacheNodeType": "cache.r3.large",
          "CacheSubnetGroupName": {
              "Ref": "CacheSubnetGroup"
          },
          "Engine": "redis",
          "EngineVersion": "3.2",
          "NumNodeGroups": "2",
          "ReplicasPerNodeGroup": "3",
          "Port": 6379,
          "PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
          "ReplicationGroupDescription": "A sample replication group",
          "SecurityGroupIds": [
              {
                  "Ref": "ReplicationGroupSG"
              }
          ],
          "SnapshotRetentionLimit": 5,
          "SnapshotWindow": "10:00-12:00"
      }
    }
  }
}

Positive test num. 4 - json file
{
  "Resources": {
    "BasicReplicationGroup": {
      "Type": "AWS::ElastiCache::ReplicationGroup",
      "Properties": {
          "AutomaticFailoverEnabled": true,            
          "CacheNodeType": "cache.r3.large",
          "CacheSubnetGroupName": {
              "Ref": "CacheSubnetGroup"
          },
          "Engine": "memcached",
          "EngineVersion": "3.2",
          "NumNodeGroups": "2",
          "ReplicasPerNodeGroup": "3",
          "Port": 11211,
          "PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
          "ReplicationGroupDescription": "A sample replication group",
          "SecurityGroupIds": [
              {
                  "Ref": "ReplicationGroupSG"
              }
          ],
          "SnapshotRetentionLimit": 5,
          "SnapshotWindow": "10:00-12:00"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  BasicReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      AutomaticFailoverEnabled: true    
      CacheNodeType: cache.r3.large
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      Engine: redis
      EngineVersion: '3.2'
      NumNodeGroups: '2'
      ReplicasPerNodeGroup: '3'
      Port: 6380
      PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
      ReplicationGroupDescription: A sample replication group
      SecurityGroupIds:
        - !Ref ReplicationGroupSG
      SnapshotRetentionLimit: 5
      SnapshotWindow: '10:00-12:00' 
Negative test num. 2 - yaml file
Resources:
  BasicReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      AutomaticFailoverEnabled: true    
      CacheNodeType: cache.r3.large
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      Engine: memcached
      EngineVersion: '3.2'
      NumNodeGroups: '2'
      ReplicasPerNodeGroup: '3'
      Port: 11212
      PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
      ReplicationGroupDescription: A sample replication group
      SecurityGroupIds:
        - !Ref ReplicationGroupSG
      SnapshotRetentionLimit: 5
      SnapshotWindow: '10:00-12:00' 
Negative test num. 3 - json file
{
  "Resources": {
    "BasicReplicationGroup": {
      "Type": "AWS::ElastiCache::ReplicationGroup",
      "Properties": {
          "AutomaticFailoverEnabled": true,            
          "CacheNodeType": "cache.r3.large",
          "CacheSubnetGroupName": {
              "Ref": "CacheSubnetGroup"
          },
          "Engine": "redis",
          "EngineVersion": "3.2",
          "NumNodeGroups": "2",
          "ReplicasPerNodeGroup": "3",
          "Port": 6380,
          "PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
          "ReplicationGroupDescription": "A sample replication group",
          "SecurityGroupIds": [
              {
                  "Ref": "ReplicationGroupSG"
              }
          ],
          "SnapshotRetentionLimit": 5,
          "SnapshotWindow": "10:00-12:00"
      }
    }
  }
}

Negative test num. 4 - json file
{
  "Resources": {
    "BasicReplicationGroup": {
      "Type": "AWS::ElastiCache::ReplicationGroup",
      "Properties": {
          "AutomaticFailoverEnabled": true,            
          "CacheNodeType": "cache.r3.large",
          "CacheSubnetGroupName": {
              "Ref": "CacheSubnetGroup"
          },
          "Engine": "memcached",
          "EngineVersion": "3.2",
          "NumNodeGroups": "2",
          "ReplicasPerNodeGroup": "3",
          "Port": 11212,
          "PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
          "ReplicationGroupDescription": "A sample replication group",
          "SecurityGroupIds": [
              {
                  "Ref": "ReplicationGroupSG"
              }
          ],
          "SnapshotRetentionLimit": 5,
          "SnapshotWindow": "10:00-12:00"
      }
    }
  }
}