Profile Applicability:
Level 1
Description:
This check ensures that no EC2 instances have security group rules that allow inbound traffic from the internet (0.0.0.0/0) to TCP port 6379, which is commonly used by Redis. Allowing ingress to this port from the internet poses a significant security risk.
Rationale:
Restricting access to TCP port 6379 helps to protect Redis instances from unauthorized access and potential exploitation. This is crucial for maintaining the integrity and confidentiality of the data stored in Redis.
Impact:
Positive Impact: Improved security by preventing unauthorized access to Redis instances.
Negative Impact: Potential disruption for services or applications that rely on public access to Redis. Alternatives for secure access must be implemented.
Default Value:
By default, security groups do not allow inbound traffic to TCP port 6379 from the internet. However, explicit security group rules may have been added.
Pre-Requisite:
IAM Permissions: Ensure necessary permissions to view and modify security group rules.
AWS Services: EC2, Security Groups
Tools Required: AWS Management Console, AWS CLI
Remediation:
Test plan:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to EC2 dashboard
In the left navigation pane, choose Security Groups.
Search for security groups that allow inbound access to TCP port 6379.
Select each security group and click Edit inbound rules.
Remove any rule that allows access from 0.0.0.0/0 to TCP port 6379.
Click Save rules to apply the changes.
Using AWS CLI:
List Security Groups: Retrieve all security groups and their inbound rules:
aws ec2 describe-security-groups --query "SecurityGroups[*].{ID:GroupId,Name:GroupName,Rules:IpPermissions}" --output json > /tmp/security-groups.Identify Groups with Port 6379: Filter for security groups allowing ingress on TCP port 6379 from the internet:
jq '.[] | select(.Rules[]? | select(.FromPort == 6379 and .IpRanges[]? | select(.CidrIp == "0.0.0.0/0")))' /tmp/security-groups.json > /tmp/insecure-groups.
Remove Ingress Rule: For each identified security group, remove the rule allowing access from 0.0.0.0/0 to TCP port 6379:
SECURITY_GROUP_IDS=$(jq -r '.[].ID' /tmp/insecure-groups.json)
for SG_ID in $SECURITY_GROUP_IDS; do
aws ec2 revoke-security-group-ingress --group-id $SG_ID --protocol tcp --port 6379 --cidr 0.0.0.0/0Implementation steps:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to EC2 dashboard
In the left navigation pane, choose Security Groups.
Search for security groups that allow inbound access to TCP port 6379.
Select each security group and click Edit inbound rules.
Remove any rule that allows access from 0.0.0.0/0 to TCP port 6379.
Click Save rules to apply the changes.
Using AWS CLI:
List Security Groups: Retrieve all security groups and their inbound rules:
aws ec2 describe-security-groups --query "SecurityGroups[*].{ID:GroupId,Name:GroupName,Rules:IpPermissions}" --output json > /tmp/security-groups.jsonIdentify Groups with Port 6379: Filter for security groups allowing ingress on TCP port 6379 from the internet:
jq '.[] | select(.Rules[]? | select(.FromPort == 6379 and .IpRanges[]? | select(.CidrIp == "0.0.0.0/0")))' /tmp/security-groups.json > /tmp/insecure-groups.json
Remove Ingress Rule: For each identified security group, remove the rule allowing access from 0.0.0.0/0 to TCP port 6379:
SECURITY_GROUP_IDS=$(jq -r '.[].ID' /tmp/insecure-groups.json)
for SG_ID in $SECURITY_GROUP_IDS; do
aws ec2 revoke-security-group-ingress --group-id $SG_ID --protocol tcp --port 6379 --cidr 0.0.0.0/0done
Backout Plan:
Revert Ingress Rules:
If issues arise after removing the ingress rules, re-add the rules allowing access to TCP port 6379 from trusted IP ranges only.
Restore Configuration:
Use saved security group configurations to reapply previous settings if needed:
aws ec2 authorize-security-group-ingress --group-id <GroupId> --protocol tcp --port 6379 --cidr <TrustedIpRange>