Enable In-Transit Encryption for Redis Cache Servers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: RedisCache-001

Ensure that the SSL connection to your Azure Redis Cache servers is enabled in order to meet cloud security and compliance requirements. Enforcing an SSL connection helps prevent unauthorized users from reading sensitive data that is intercepted as it travels through the network, between clients/applications and cache servers, known as data in transit.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The use of secure connections ensures authentication between the cache server and the service or application, and protects data in transit against network layer attacks such as man-in-the-middle (MITM), eavesdropping and session hijacking. When working with production data, it is highly recommended to implement encryption in order to protect it from unauthorized access and fulfill compliance requirements for data encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII) data, usually used in Financial Services, Healthcare and Telecommunications sectors.


Audit

To determine the data-in-transit encryption configuration status for your Azure Redis Cache servers, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Azure Cache for Redis to list all the Redis Cache servers provisioned in the selected subscription.

05 Click on the name of the Redis Cache server that you want to examine.

06 In the navigation panel, under Settings, select Advanced settings to access the encryption settings available for the selected server.

07 On the Advanced settings page, check the Allow access only via SSL configuration setting status. If the setting status is set to No, the data-in-transit encryption is not enabled for the selected Microsoft Azure Redis Cache server.

08 Repeat steps no. 5 – 7 for each Redis Cache server available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run redis list command (Windows/macOS/Linux) using custom query filters to list the IDs of the Redis Cache servers created in the current Azure subscription:

az redis list
	--query '[*].id'

02 The command output should return the requested cache server identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-web-cache-server",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-prod-data-cache"
]

03 Run redis show command (Windows/macOS/Linux) using the ID of the Redis Cache server that you want to examine as identifier parameter and custom query filters to describe the SSL port configuration status available for the selected server:

az redis show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-web-cache-server"
	--query 'enableNonSslPort'

04 The command output should return the requested configuration status:

true

If redis show command output returns true, the non-SSL Redis Cache port (i.e. 6379) is enabled, therefore the data-in-transit encryption is not enabled for the selected Microsoft Azure Redis Cache server.

05 Repeat step no. 3 and 4 for each Redis Cache server deployed in the current subscription.

06 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable in-transit encryption for your Microsoft Azure Redis Cache servers by allowing access only via SSL on port 6380, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Azure Cache for Redis to display all Azure Redis Cache servers launched in the selected subscription.

05 Click on the name of the Redis Cache server that you want to reconfigure.

06 In the navigation panel, under Settings, select Advanced settings to access the encryption configuration settings available for the selected server.

07 On the Advanced settings page, choose Yes next to Allow access only via SSL to enable data-in-transit encryption for the selected Microsoft Azure Redis Cache server. Click Save to apply the changes.

08 Repeat steps no. 5 – 7 for each Redis Cache server available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run redis update command (Windows/macOS/Linux) using the ID of the Redis Cache server that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to enable data-in-transit encryption for the selected Microsoft Azure Redis Cache server by enforcing SSL connections (set enableNonSslPort parameter to false):

az redis update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-web-cache-server"
	--set enableNonSslPort=false

02 The command output should return the metadata available for the reconfigured cache server:

{
  "accessKeys": null,
  "enableNonSslPort": false,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-web-cache-server",
  "instances": [
    {
      "nonSslPort": null,
      "shardId": null,
      "sslPort": 15000,
      "zone": null
    },
    {
      "nonSslPort": null,
      "shardId": null,
      "sslPort": 15001,
      "zone": null
    }
  ],

  ...

  "location": "West Europe",
  "minimumTlsVersion": null,
  "name": "cc-web-cache-server",
  "port": 6379,
  "provisioningState": "Succeeded",
  "redisVersion": "4.0.14",
  "replicasPerMaster": null,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "shardCount": null,
  "sslPort": 6380,
  "staticIp": null,
  "subnetId": null,
  "tenantSettings": null,
  "type": "Microsoft.Cache/Redis",
  "zones": null
}

03 Repeat step no. 1 and 2 for each Redis Cache server launched within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Mar 27, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable In-Transit Encryption for Redis Cache Servers

Risk level: High