Open menu
-->

Default Port

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Low (generally tolerable level of risk)

Ensure that your AWS ElastiCache clusters are not using their default endpoint ports (i.e. 6379 for Redis and 11211 for Memcached) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks.
Changing the default port number for your cache clusters represents a basic security measure and does not completely secure the clusters from port scanning and network attacks. To implement advanced AWS ElastiCache security, you should always look into security measures such as controlling clusters access through security groups and Network Access Control Lists (NACLs) and keep clusters within private subnets to completely isolate them from the internet.

Running your AWS ElastiCache clusters on the default port represent a potential security concern. Replacing the default port numbers (6379 for Redis and 11211 for Memcached) with custom ones will add an extra layer of security, protecting your cache clusters from malicious attacks.

Audit

To determine if your existing Amazon ElastiCache clusters are using their default ports, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to ElastiCache dashboard at https://console.aws.amazon.com/elasticache/.

03 In the left navigation panel, under ElastiCache Dashboard, click Memcached to access the cache clusters created with the Memcached in-memory cache engine or Redis to access the clusters created with the Redis engine.

04 Click on the name (link) of the ElastiCache cache cluster that you want to examine to access its configuration page.

05 Check the port number utilized by the Memcached / Redis cluster cache nodes, listed in the Nodes tab, in Port column: Redis cluster cache nodes, listed in the Nodes tab, in Port column
If the values set for the Port attribute are 11211 for Memcached nodes and 6379 for Redis nodes. If the values set for the Port attribute are 11211 for Memcached nodes and 6379 for Redis nodes, the cache clusters available in the current region are using their default endpoint ports, therefore you should take action and change these ports number to add an additional layer of security.

06 Repeat step no. 4 and 5 to verify the port number for other AWS ElastiCache clusters provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-cache-clusters command (OSX/Linux/UNIX) using custom query filters to expose the port number used by each cache cluster (Memcached and/or Redis) provisioned in the selected AWS region:

aws elasticache describe-cache-clusters
	--region us-east-1
	--query 'CacheClusters[*].[CacheClusterId,Engine,ConfigurationEndpoint.Port]'

02 The command output should return an array that contains sets of metadata representing the cluster identifier (name), the cache engine type (i.e. Memcached, Redis) and the port number used for each cache cluster available in the selected region:

[
    [
        "cc-memcached-cluster",
        "memcached",
        11211
    ],
    [
        "cc-redis-cache",
        "redis",
        6379
    ]
]

03 Repeat step no. 1 and 2 to verify the port number for other AWS ElastiCache clusters provisioned in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the audit process for other regions.

Remediation / Resolution

Case A: to change the default port number for ElastiCache clusters that use the Redis cache engine, you must re-create the clusters using a custom port number. To relaunch the necessary cache clusters, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 In the left navigation panel, under ElastiCache Dashboard, click Redis to access the clusters created with the Redis cache engine.

03 Choose the cache cluster that you want to re-create then click on its identifier link (see Audit section part I to identify the right ElastiCache resource).

04 On the selected cluster configuration page, select the Description tab and copy the current values set for attributes such as Name, Node Type, Engine Version Compatibility, Number of Nodes/Shards and Subnet, Security and Parameter Group(s). The configuration information copied is required for the next step (i.e. cache cluster relaunch).

05 Now it’s time to re-create the selected Redis cache cluster with a different port number. To relaunch the necessary ElastiCache cluster, perform the following:

  1. Go back to the ElastiCache service dashboard and click Create to launch the cache cluster setup.
  2. On the Create your Amazon ElastiCache cluster page, perform the following actions:
    • Select Redis from the Cluster Engine section to select the required cache engine type.
    • Replace the default endpoint port number available within Port field with a custom port number (e.g. 3560).
    • Paste the configuration attribute values copied at step no. 4 inside the corresponding fields within Redis settings section.
    • Click Advanced Redis settings tab to expand the cluster advanced settings panel then select the same subnet and security group(s) used by the source cache cluster. Set the rest of the configuration options based on your requirements.
    • Click Create to launch your new Amazon ElastiCache Redis cluster. Once the cache cluster has been successfully created, its status should change from creating to available.

06 Once you have replaced the source cluster endpoint (e.g. cc-redis-cache.aaabbb.0001.cccc.cache.amazonaws.com:6379) with the new cluster endpoint (e.g. cc-new-redis-cache.aaabbb.0001.cccc.cache.amazonaws.com:3560) within your application configuration, it is safe to shut down and delete the source cache cluster in order to stop incurring charges for it. To remove the necessary ElastiCache cluster from your AWS account, perform the following:

  1. Select the cache cluster that you want to remove and click the Delete button from the dashboard top menu.
  2. In the Delete Cluster confirmation box, select Yes from the Create final backup dropdown menu, provide a name for the cluster backup, then click Delete.

07 Repeat steps no. 3 - 6 to change the endpoint port number for other AWS ElastiCache clusters provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 First, gather the configuration details from the source ElastiCache cluster (i.e. the one that use the default port number). Run describe-cache-clusters command (OSX/Linux/UNIX) using the ID of the cluster that you want to re-create (see Audit section part II to identify the right resource) to list the required configuration details:

aws elasticache describe-cache-clusters
	--region us-east-1
	--cache-cluster-id cc-redis-cache

02 The command output should return the requested cache cluster configuration information:

{
    "CacheClusters": [
        {
            "Engine": "redis",
            "CacheClusterId": "cc-redis-cache",
            "NumCacheNodes": 2,
            "CacheClusterCreateTime": "2017-04-18T09:25:26.712Z",
            "AutoMinorVersionUpgrade": true,
            "CacheClusterStatus": "available",
            "PreferredAvailabilityZone": "us-east-1e",

            ...

            "CachePort": 6379,
            "CacheSubnetGroupName": "",
            "EngineVersion": "3.2.4",
            "PendingModifiedValues": {},
            "PreferredMaintenanceWindow": "sat:03:00-sat:04:00",
            "CacheNodeType": "cache.m4.xlarge"
        }
    ]
}

03 Re-create the source cache cluster with the create-cache-cluster command (OSX/Linux/UNIX), using the existing ElastiCache cluster configuration attribute values returned at the previous step and a custom value for the endpoint port (--port parameter value):

aws elasticache create-cache-cluster
	--region us-east-1
	--cache-cluster-id cc-new-redis-cache
	--az-mode single-az
	--preferred-availability-zone "us-east-1e"
	--num-cache-nodes 2
	--cache-node-type cache.m4.xlarge
	--engine redis
	--engine-version "3.2.4"
	--security-group-ids "sg-d194985e"
	--port 3560
	--auto-minor-version-upgrade

04 The command output should return the newly created Redis cache cluster metadata:

{
    "CacheCluster": {
        "Engine": "redis",
        "CacheParameterGroup": {
            "CacheNodeIdsToReboot": [],
            "CacheParameterGroupName": "default.redis3.2",
            "ParameterApplyStatus": "in-sync"
        },
        "CacheClusterId": "cc-new-redis-cache",
        "CacheSecurityGroups": [],
        "NumCacheNodes": 2,
        "AutoMinorVersionUpgrade": true,
        "CacheClusterStatus": "creating",
        "PreferredAvailabilityZone": "us-east-1e",

        ...

        "SecurityGroups": [
            {
                "Status": "active",
                "SecurityGroupId": "sg-d194985e"
            }
        ],
        "CacheSubnetGroupName": "default",
        "EngineVersion": "3.2.4",
        "PendingModifiedValues": {},
        "PreferredMaintenanceWindow": "tue:03:30-tue:04:30",
        "CacheNodeType": "cache.m4.xlarge"
    }
}

05 Once you have replaced the source cluster endpoint with the new cluster endpoint within your application code, it is safe to shut down and delete the source cache cluster in order to stop incurring charges for it. To remove the necessary ElastiCache cluster from your AWS account, run delete-cache-cluster command (OSX/Linux/UNIX):

aws elasticache delete-cache-cluster
	--region us-east-1
	--cache-cluster-id cc-redis-cache
	--final-snapshot-identifier cc-redis-cache-final-snapshot

06 The command output should return the command request metadata:

{
    "CacheClusters": [
        {
            "Engine": "redis",
            "CacheClusterId": "cc-redis-cache",
            "NumCacheNodes": 2,
            "AutoMinorVersionUpgrade": true,
            "CacheClusterStatus": "deleting",

            ...

            "CachePort": 6379,
            "EngineVersion": "3.2.4",
            "PendingModifiedValues": {},
            "PreferredMaintenanceWindow": "sat:03:00-sat:04:00",
            "CacheNodeType": "cache.m4.xlarge"
        }
    ]
}

07 Repeat steps no. 1 - 6 to change the endpoint port number for other AWS ElastiCache clusters provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the entire process for other regions.

Case B: to change the default port number for ElastiCache clusters that use Memcached as cache engine, you must re-create the clusters using a custom port number. To relaunch the necessary Memcached clusters, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 In the left navigation panel, under ElastiCache Dashboard, click Memcached to access the clusters created with the Memcached cache engine.

03 Choose the cache cluster that you want to re-create then click on its identifier link (see Audit section part I to identify the right resource).

04 On the selected cluster configuration page, select the Description tab and copy the current values set for attributes such as Cluster, Node Type, Engine Version Compatibility, Number of Nodes, Availability Zones and Subnet, Security and Parameter Group(s). The configuration information copied at this point is required for the next step (i.e. cache cluster relaunch).

05 Now we can re-create the selected Memcached cache cluster with a different port number. To relaunch the necessary ElastiCache cluster, perform the following:

  1. Go back to the ElastiCache service dashboard and click Create to launch the cache cluster setup.
  2. On the Create your Amazon ElastiCache cluster page, perform the following actions:
    • Select Memcached from the Cluster Engine section to select the required cache engine type.
    • Replace the default endpoint port number available within Port field with a custom port number (e.g. 13611).
    • Paste the configuration attribute values copied at step no. 4 inside the corresponding fields within Memcached settings section.
    • Click Advanced Memcached settings tab to expand the cluster advanced settings panel then select the same AZ, subnet and security group(s) used by the source cache cluster. Set the rest of the configuration options based on your needs.
    • Click Create to launch your new Amazon ElastiCache Memcached cluster. Once the cache cluster has been successfully created, its status should change from creating to available.

06 Once you have replaced the source cluster endpoint (e.g. cc-memcached-cluster.aaabbb.ccc.use1.cache.amazonaws.com:11211) with the new cluster endpoint (e.g. cc-memcached-cluster.aaabbb.ccc.use1.cache.amazonaws.com:13611) within your application code, it is safe to terminate the source cache cluster in order to stop incurring charges for it. To remove the necessary ElastiCache cluster from your AWS account, perform the following:

  1. Select the cache cluster that you want to remove and click the Delete button from the dashboard top menu.
  2. Within Delete Cluster confirmation box, click Delete to confirm your action.

07 Repeat steps no. 3 - 6 to change the endpoint port number for other AWS ElastiCache Memcached clusters available in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Get the configuration details from the source Memcached cluster by executing describe-cache-clusters command (OSX/Linux/UNIX) using the identifier of the cluster that you want to re-create (see Audit section part II to identify the right resource) to list the required configuration details:

aws elasticache describe-cache-clusters
	--region us-east-1
	--cache-cluster-id cc-memcached-cluster

02 The command output should return the requested cache cluster configuration information:

{
    "CacheClusters": [
        {
            "Engine": "memcached",
            "CacheParameterGroup": {
                "CacheNodeIdsToReboot": [],
                "CacheParameterGroupName": "default.memcached1.4",
                "ParameterApplyStatus": "in-sync"
            },
            "CacheClusterId": "cc-memcached-cluster",
            "PreferredAvailabilityZone": "us-east-1a",
            "CacheClusterCreateTime": "2017-07-22T10:23:54.897Z",

            ...

            "AutoMinorVersionUpgrade": true,
            "CacheClusterStatus": "available",
            "NumCacheNodes": 2,
            "CacheSubnetGroupName": "default",
            "EngineVersion": "1.4.34",
            "PendingModifiedValues": {},
            "PreferredMaintenanceWindow": "sat:08:00-sat:09:00",
            "CacheNodeType": "cache.m4.xlarge"
        }
    ]
}

03 Re-create the source cache cluster with the create-cache-cluster command (OSX/Linux/UNIX), using the existing ElastiCache cluster configuration attribute values returned at the previous step and a custom value for the endpoint port (--port parameter value):

aws elasticache create-cache-cluster
	--region us-east-1
	--cache-cluster-id cc-new-memcached-cluster
	--az-mode single-az
	--preferred-availability-zone "us-east-1a"
	--num-cache-nodes 2
	--cache-node-type cache.m4.xlarge
	--engine memcached
	--engine-version "1.4.34"
	--security-group-ids "sg-c3849d44"
	--port 13611
	--auto-minor-version-upgrade

04 The command output should return the newly created Memcached cache cluster metadata:

{
    "CacheCluster": {
        "Engine": "memcached",
        "CacheClusterId": "cc-new-memcached-cluster",
        "CacheSecurityGroups": [],
        "NumCacheNodes": 2,
        "AutoMinorVersionUpgrade": true,
        "CacheClusterStatus": "creating",
        "PreferredAvailabilityZone": "us-east-1a",

        ...

        "SecurityGroups": [
            {
                "Status": "active",
                "SecurityGroupId": "sg-c3849d44"
            }
        ],
        "CacheSubnetGroupName": "default",
        "EngineVersion": "1.4.34",
        "PendingModifiedValues": {},
        "PreferredMaintenanceWindow": "sat:08:00-sat:09:00",
        "CacheNodeType": "cache.m4.xlarge"
    }
}

05 Once you have replaced the source cluster endpoint with the new cluster endpoint within your application configuration, it is safe to shut down the source cache cluster in order to stop incurring charges for it. To remove the necessary ElastiCache cluster from your AWS account, run delete-cache-cluster command (OSX/Linux/UNIX):

aws elasticache delete-cache-cluster
	--region us-east-1
	--cache-cluster-id cc-memcached-cluster

06 The command output should return the command request metadata:

{
    "CacheClusters": [
        {
            "Engine": "memcached",
            "CacheClusterId": "cc-memcached-cluster",
            "NumCacheNodes": 2,
            "AutoMinorVersionUpgrade": true,
            "CacheClusterStatus": "deleting",

            ...

            "CachePort": 11211,
            "EngineVersion": "1.4.34",
            "PendingModifiedValues": {},
            "PreferredMaintenanceWindow": "sat:08:00-sat:09:00",
            "CacheNodeType": "cache.m4.xlarge"
        }
    ]
}

07 Repeat steps no. 1 - 6 to change the endpoint port number for other AWS ElastiCache Memcached clusters provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the process for other regions.

References

Publication date Nov 1, 2017