Logo of Trend Micro

Check for Unrestricted Memcached Access

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Very High (act immediately)
Rule ID: EC2-075

Check your Amazon EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) on TCP and/or UDP port 11211 in order to reduce the attack surface and protect the Memcached cache server instances associated with your security groups. Memcached is an open source, high-performance, distributed memory object caching system, intended for use in speeding up dynamic websites and web applications by alleviating database load.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Allowing unrestricted inbound/ingress access on TCP and/or UDP port 11211 (Memcached) to your Amazon EC2 instances can increase opportunities for malicious activities such as DDoS amplification attacks, which can have a serious impact on the health and stability of your web services and applications.

Audit

To determine if your Amazon EC2 security groups allow unrestricted Memcached access, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Click inside the attributes filter box located under the console top menu and select the following options from the dropdown menu:

  1. Choose Protocol and select TCP from the protocols list.
  2. Choose Protocol and select UDP from the protocols list.
  3. Choose Port Range, type 11211 for the port number, and press Enter.

05 Select the Amazon EC2 security group that you want to examine and choose the Inbound tab to access the inbound rules created for the group.

06 Check the value available in the Source column for any inbound/ingress rules with the Port Range set to 11211. If one or more rules have the Source value set to 0.0.0.0/0 or ::/0 (i.e. Anywhere), the selected Amazon EC2 security group allows unrestricted traffic TCP and/or UDP port 11211, therefore the Memcached service access to the associated EC2 instance(s) is not secured.

07 Repeat step no. 5 and 6 for each security group returned as result at step no. 4.

08 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using predefined and custom query filters to describe the name of each Amazon EC2 security group that allows unrestricted inbound access on TCP and/or UDP port 11211 (Memcached): 

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=ip-permission.from-port,Values=11211 Name=ip-permission.to-port,Values=11211 Name=ip-permission.cidr,Values='0.0.0.0/0' Name=ip-permission.ipv6-cidr,Values='::/0'
	--output table
	--query 'SecurityGroups[*].{Name:GroupName}'

02 The command output should return a table with the requested security group names: 

----------------------------
|  DescribeSecurityGroups  |
+--------------------------+
|           Name           |
+--------------------------+
|  cc-memcached-server-sg  |
|  cc-web-stack-server-sg  |
+--------------------------+

If the describe-security-groups command request is not showing an output, there are no security groups that allow unrestricted inbound access on TCP/UDP port 11211 in the selected AWS region. If the command output returns a table with one or more security group names, those Amazon EC2 security groups allow unrestricted traffic on TCP and/or UDP port 11211, therefore the Memcached service access to the associated EC2 instance(s) is not secured.

03 Change the AWS cloud region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To update your Amazon EC2 security groups configuration in order to restrict Memcached access to trusted entities such as authorized IP addresses, IP address ranges, and security groups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the Amazon EC2 security group that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Inbound tab from the console bottom panel and choose Edit.

06 In the Edit inbound rules configuration box, change the traffic source for the inbound rule that allows unrestricted access via TCP/UDP port 11211, by performing one of the following operations:

  1. Select My IP from the Source dropdown list to allow inbound traffic only from your current machine (from your own IP address).
  2. Select Custom from the Source dropdown list and enter one of the following options based on your access requirements. Usually, this source represents the IP, IP range or security group of the web server that needs to connect to your Memcached instance:
    • The static IP address of the authorized host in CIDR notation (e.g. 192.0.8.0/32).
    • The IP address range of the authorized network or subnetwork in CIDR notation, for example 192.0.8.0/24.
    • The name or ID of another security group available within the same AWS region.

07 Click Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 to reconfigure other security groups that allow unrestricted Memcached service access.

09 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the name of the Amazon EC2 security group that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to remove the inbound rule that allows unrestricted access on TCP port 11211. Replace tcp with udp within the --protocol parameter value to remove the ingress rule that allows unrestricted access on UDP port 11211 (the command does not produce an output): 

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-name cc-memcached-server-sg
	--protocol tcp
	--port 11211
	--cidr 0.0.0.0/0

02 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed at the previous step with a different set of parameters in order to restrict access on TCP port 11211 (Memcached) to trusted entities only (IP addresses, IP ranges, or security groups). To add an ingress rule that allows authorized access on UDP port 11211, replace tcp with udp within the --protocol command parameter value. To create and attach custom inbound/ingress rules to the selected Amazon EC2 security group based on your access requirements, use one of the following options (the command does not return an output):

  1. Add an inbound rule that allows traffic from an authorized static IP address via TCP port 11211, using CIDR notation (e.g. 192.0.8.0/32): 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-name cc-memcached-server-sg
	--protocol tcp
	--port 11211
	--cidr 192.0.8.0/32
  2. Add an inbound/ingress rule that allows traffic from a trusted IP address range via TCP port 11211, using CIDR notation (for example, 192.0.8.0/24): 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-name cc-memcached-server-sg
	--protocol tcp
	--port 11211
	--cidr 192.0.8.0/24
  3. Add an inbound rule that allows traffic from another security group available in the same AWS region via TCP port 11211. This can be the security group of the web server that needs to connect to your Memcached service instance: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-name cc-memcached-server-sg
	--protocol tcp
	--port 11211
	--source-group cc-production-server-sg

03 Repeat step no. 1 and 2 to reconfigure other security groups that allow unrestricted Memcached access.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation process for other regions.

References

Publication date Dec 14, 2020

Related EC2 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Unrestricted Memcached Access

Risk level: Very High