Profile Applicability:

  • Level 1

Description:

This control ensures that AWS Security Groups do not allow unrestricted inbound access (0.0.0.0/0 for IPv4 or ::/0 for IPv6) to TCP or UDP port 11211, which is used by Memcached. Allowing public access to Memcached can expose sensitive in-memory data, including cached credentials, session tokens, and database query results. Additionally, unsecured Memcached servers are often exploited for DDoS amplification attacks when accessible over the internet. 

Rationale:

Memcached is designed for high-speed caching within trusted networks. If port 11211 is open to the public, attackers can read or modify cache data or use the exposed service as a reflection amplifier in distributed denial-of-service (DDoS) attacks. Restricting access to this port ensures that only trusted internal systems or application servers can communicate with the Memcached service. This follows the principle of least privilege and aligns with compliance standards such as CIS, SOC 2, ISO 27001, and NIST 800-53. 

Impact:

  • Positive Impact: Prevents unauthorized access to in-memory data, reduces exposure to DDoS attacks, and enhances overall network security posture.

  • Negative Impact: Applications outside the restricted IP ranges may require adjustments to connect through secure, private network channels. 

Default Value:

By default, AWS Security Groups deny all inbound connections unless explicitly allowed. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, ec2:AuthorizeSecurityGroupIngress.
  • Identify internal CIDR ranges or application subnets that legitimately require access to Memcached.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Security Groups.

  3. Select each Security Group and open the Inbound Rules tab.

  4. Look for any rules where:

    • Protocol: TCP or UDP

    • Port Range: 11211

    • Source: 0.0.0.0/0 or ::/0

  5. If such rules exist, the Security Group is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Select the non-compliant Security Group.

  3. Click Edit inbound rules.

  4. Identify and delete any rule allowing TCP or UDP access on port 11211 from 0.0.0.0/0 or ::/0.

  5. Add a restricted inbound rule for authorized access:

    • Protocol: TCP/UDP

    • Port Range: 11211

    • Source: Internal application or trusted CIDR (e.g., 10.0.0.0/16).

  6. Click Save rules.

  7. Verify that all applications dependent on Memcached can still connect within the internal network.

Backout Plan:

Using AWS Console:

  1. If legitimate access is disrupted, temporarily re-add rules allowing access from specific known IPs while implementing VPN or private connectivity solutions.
  2. Use AWS VPC Peering, PrivateLink, or a Bastion Host for secure, restricted access instead of reopening public ingress.


References: