Profile Applicability:

  • Level 1

Description:

This control ensures that AWS Security Groups do not allow unrestricted inbound access (0.0.0.0/0 for IPv4 or ::/0 for IPv6) to TCP port 6379, which is used by Redis. Allowing open access to this port exposes Redis instances to the internet, making them vulnerable to unauthorized access, data exfiltration, and denial-of-service (DoS) attacks. Restricting access to trusted IPs or internal networks helps maintain data confidentiality and system integrity.

Rationale:

Redis is commonly used for caching and in-memory databases, often containing sensitive data such as session tokens, credentials, or cached application content. If Redis instances are exposed to the public internet, attackers can gain direct access to data or modify stored information. Limiting ingress to only necessary IP ranges or internal subnets ensures compliance with CIS, SOC 2, ISO 27001, and HIPAA controls, and helps enforce the principle of least privilege.


Impact:

  • Positive Impact: Strengthens database security by ensuring Redis instances are accessible only from trusted networks, reducing the risk of compromise or data leakage.

  • Negative Impact: Administrators or applications outside of the allowed IP ranges may temporarily lose connectivity until appropriate network rules are updated.


Default Value:

By default, new Security Groups do not allow any inbound traffic. Rules allowing access to port 6379 must be explicitly added.


Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, and ec2:AuthorizeSecurityGroupIngress.

  • Awareness of trusted internal IP addresses or CIDR ranges that legitimately require Redis access.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Security Groups.

  3. Review all Security Groups used by your Redis instances or clusters.

  4. Under the Inbound Rules tab, check for any rule with:

    • Type: Custom TCP Rule or Redis

    • Port Range: 6379

    • Source: 0.0.0.0/0 or ::/0

  5. If such rules exist, the configuration is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Select the non-compliant Security Group.

  3. Go to the Inbound Rules tab and click Edit inbound rules.

  4. Identify the rule allowing port 6379 from 0.0.0.0/0 or ::/0.

  5. Modify the Source to a restricted range such as:

    • The VPC’s CIDR block (e.g., 10.0.0.0/16)

    • A specific subnet CIDR (e.g., 10.0.1.0/24)

    • A known trusted IP (e.g., your Bastion Host or application server IP)

  6. Click Save rules.

  7. Re-test Redis connectivity from authorized systems to confirm successful access.

Backout Plan:

Using AWS Console:

  1. If authorized applications lose access after tightening rules, temporarily re-add the previous IP or CIDR under Inbound Rules, ensuring it’s a controlled source (not 0.0.0.0/0).

  2. Validate application requirements and implement a secure access mechanism such as a VPC Peering, AWS PrivateLink, or Bastion Host for controlled Redis access.

References:

  • Amazon EC2 Security Groups Documentation

  • Redis Security Guide

  • AWS Security Best Practices Whitepaper