Ensure that your AWS ElastiCache clusters are not using their default endpoint ports (i.e. 6379 for Redis and 11211 for Memcached) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks.
Changing the default port number for your cache clusters represents a basic security measure and does not completely secure the clusters from port scanning and network attacks. To implement advanced AWS ElastiCache security, you should always look into security measures such as controlling clusters access through security groups and Network Access Control Lists (NACLs) and keep clusters within private subnets to completely isolate them from the internet.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Running your AWS ElastiCache clusters on the default port represent a potential security concern. Replacing the default port numbers (6379 for Redis and 11211 for Memcached) with custom ones will add an extra layer of security, protecting your cache clusters from malicious attacks.
To determine if your existing Amazon ElastiCache clusters are using their default ports, perform the following:
Case A: to change the default port number for ElastiCache clusters that use the Redis cache engine, you must re-create the clusters using a custom port number. To relaunch the necessary cache clusters, perform the following:
Case B: to change the default port number for ElastiCache clusters that use Memcached as cache engine, you must re-create the clusters using a custom port number. To relaunch the necessary Memcached clusters, perform the following: