Profile Applicability:
- Level 1
Description:
This check ensures that no EC2 instances in your AWS environment allow ingress (incoming) traffic from the internet to TCP port 11211, which is commonly used by the Memcached caching service. Allowing such traffic without restrictions can expose your instances to unauthorized access and potential exploits.
Rationale:
Memcached is a high-performance, distributed memory caching system often used to speed up dynamic web applications by alleviating database load. Exposing Memcached to the internet on port 11211 without proper access controls can lead to unauthorized access, data leakage, and potential abuse. It's essential to restrict access to trusted sources to maintain the security and integrity of your applications.
Impact:
Security: Unauthorized access to Memcached can lead to data breaches, service disruptions, or system compromises.
Compliance: Failure to restrict access to this port may violate security standards and compliance requirements (e.g., PCI-DSS, HIPAA, SOC 2).
Service Downtime: Exploits targeting Memcached can lead to service outages or security incidents affecting resource availability.
Default Value:
By default, security groups in AWS do not allow inbound traffic on port 11211. However, custom security group configurations might have rules that allow ingress to this port.
Pre-Requisites:
AWS Management Console access or AWS CLI installed with appropriate permissions to describe and modify security group rules.
Familiarity with security best practices and the Memcached service.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the EC2 dashboard.
In the left-hand menu, under Network & Security, choose Security Groups.
Select each security group and review the Inbound Rules.
Verify that no rules allow ingress from 0.0.0.0/0 or ::/0 to port 11211.
If such rules exist, they should be modified or removed.
Using AWS CLI:
Run the following command to list all security groups in your AWS region:
aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,Ingress:IpPermissions}'For each security group, check the inbound rules for any entries allowing ingress to port 11211 from 0.0.0.0/0 or ::/0.
If such entries exist, they should be modified or removed.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the EC2 dashboard
go to Security Groups.
Select each security group and review the Inbound Rules.
If any rule allows ingress from 0.0.0.0/0 or ::/0 to port 11211:
Click Edit inbound rules.
Locate and delete the rule allowing access to this port.
Click Save rules.
Using AWS CLI:
To revoke the ingress rule allowing access to port 11211 from 0.0.0.0/0, run:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 11211 --cidr 0.0.0.0/0
Replace <security-group-id> with the ID of your security group.
Backout Plan:
Using AWS Console:
Go to the Amazon EC2 Console:
Open the Amazon EC2 console.
Navigate to Security Groups under Network & Security.
Check Inbound Rules:
Filter security groups by Protocol: TCP and Port Range: 11211.
Review the Source column for any rules allowing 0.0.0.0/0 or ::/0 (public access).
Remove Public Access:
Edit the inbound rules for affected security groups.
Remove or restrict access to trusted IP ranges only.
Using AWS CLI :
Identify Security Groups Allowing Public Access:
aws ec2 describe-security-groups \ --filters Name=ip-permission.protocol,Values=tcp \ Name=ip-permission.from-port,Values=11211 \ Name=ip-permission.to-port,Values=11211 \ Name=ip-permission.cidr,Values=0.0.0.0/0
Revoke Public Access:
aws ec2 revoke-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp \ --port 11211 \ --cidr 0.0.0.0/0
References: