Ensure No EC2 Instances Allow Ingress from the Internet to TCP Port 11211 (Memcached)

Overview

This check identifies EC2 instances that allow inbound traffic on TCP port 11211 (Memcached) from anywhere on the internet (0.0.0.0/0 or ::/0). Memcached is a caching service designed for use in trusted, private networks and should never be publicly accessible.

Severity: Critical

Compliance Frameworks: C5, ISO27001, KISA-ISMS-P, NIS2, SOC2

Risk

Exposing Memcached to the internet creates serious security risks:

• DDoS Amplification Attacks: Attackers can exploit Memcached for reflection attacks that amplify traffic by up to 50,000x, potentially overwhelming your infrastructure or others
• Data Theft: Unauthorized users can read cached data, which may include sensitive information like session tokens, user data, or database query results
• Cache Poisoning: Attackers can modify cached data to manipulate your application's behavior
• Reconnaissance: Exposed services reveal information about your infrastructure that aids further attacks

Memcached has no built-in authentication, making public exposure especially dangerous.

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify EC2 security groups, OR
• AWS CLI configured with appropriate credentials

AWS CLI setup

If you need to install or configure the AWS CLI:

# Install AWS CLI (macOS)
brew install awscli

# Configure credentials
aws configure

Ensure your IAM user or role has the ec2:DescribeSecurityGroups and ec2:RevokeSecurityGroupIngress permissions.

AWS Console Method

1. Sign in to the AWS Console and navigate to EC2
2. In the left sidebar, click Security Groups (under Network & Security)
3. Select the security group attached to the affected EC2 instance
4. Click the Inbound rules tab
5. Find any rule with:
   • Port range: 11211
   • Source: 0.0.0.0/0 or ::/0
6. Click Edit inbound rules
7. Either:
   • Delete the rule by clicking the X button next to it, OR
   • Restrict the source to a specific private CIDR (e.g., 10.0.0.0/8) or a security group
8. Click Save rules

AWS CLI (optional)

Step 1: Identify security groups with exposed Memcached port

aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=11211" \
            "Name=ip-permission.to-port,Values=11211" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query "SecurityGroups[*].[GroupId,GroupName]" \
  --output table

Step 2: Remove the insecure rule (IPv4)

aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 11211 \
  --cidr 0.0.0.0/0

Step 3: Remove the insecure rule (IPv6, if applicable)

aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --ip-permissions IpProtocol=tcp,FromPort=11211,ToPort=11211,Ipv6Ranges='[{CidrIpv6=::/0}]'

Step 4 (optional): Add a restricted rule for internal access

aws ec2 authorize-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 11211 \
  --cidr 10.0.0.0/8

Replace <SECURITY_GROUP_ID> with your actual security group ID (e.g., sg-0123456789abcdef0) and adjust the CIDR to match your internal network range.

CloudFormation (optional)

Use this template to create a security group with properly restricted Memcached access:

AWSTemplateFormatVersion: '2010-09-09'
Description: Security group with restricted Memcached access

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC ID where the security group will be created
  AllowedCidr:
    Type: String
    Default: '10.0.0.0/8'
    Description: CIDR block allowed to access Memcached

Resources:
  RestrictedMemcachedSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group with restricted Memcached access
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 11211
          ToPort: 11211
          CidrIp: !Ref AllowedCidr
          Description: Allow Memcached from internal network only
      Tags:
        - Key: Name
          Value: restricted-memcached-sg

Outputs:
  SecurityGroupId:
    Description: ID of the security group
    Value: !Ref RestrictedMemcachedSecurityGroup

Deploy the stack:

aws cloudformation create-stack \
  --region us-east-1 \
  --stack-name restricted-memcached-sg \
  --template-body file://template.yaml \
  --parameters ParameterKey=VpcId,ParameterValue=<YOUR_VPC_ID> \
               ParameterKey=AllowedCidr,ParameterValue=10.0.0.0/8

Terraform (optional)

Use this configuration to create a security group with properly restricted Memcached access:

variable "vpc_id" {
  description = "VPC ID where the security group will be created"
  type        = string
}

variable "allowed_cidr_blocks" {
  description = "CIDR blocks allowed to access Memcached"
  type        = list(string)
  default     = ["10.0.0.0/8"]
}

resource "aws_security_group" "restricted_memcached" {
  name        = "restricted-memcached-sg"
  description = "Security group with restricted Memcached access"
  vpc_id      = var.vpc_id

  ingress {
    description = "Allow Memcached from internal network only"
    from_port   = 11211
    to_port     = 11211
    protocol    = "tcp"
    cidr_blocks = var.allowed_cidr_blocks
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "restricted-memcached-sg"
  }
}

output "security_group_id" {
  description = "ID of the security group"
  value       = aws_security_group.restricted_memcached.id
}

Apply the configuration:

terraform init
terraform plan -var="vpc_id=<YOUR_VPC_ID>"
terraform apply -var="vpc_id=<YOUR_VPC_ID>"

Verification

After making changes, verify the fix:

1. In the AWS Console, go to EC2 > Security Groups
2. Select the modified security group
3. Check the Inbound rules tab
4. Confirm there are no rules allowing port 11211 from 0.0.0.0/0 or ::/0

CLI verification

aws ec2 describe-security-groups \
  --region us-east-1 \
  --group-ids <SECURITY_GROUP_ID> \
  --query "SecurityGroups[0].IpPermissions[?FromPort==\`11211\`]" \
  --output json

The output should show no rules with 0.0.0.0/0 or ::/0 in the IpRanges or Ipv6Ranges fields.

Additional Resources

• AWS Security Groups Documentation
• AWS Security Best Practices
• Memcached DDoS Attack Explanation (US-CERT)

Notes

• No authentication: Memcached has no built-in authentication mechanism. Anyone who can reach the port can read and write cached data. This makes network-level restrictions essential.
• Consider ElastiCache: For production workloads, consider using Amazon ElastiCache for Memcached, which runs in your VPC and is not publicly accessible by default.
• Private subnets: Place instances running Memcached in private subnets without public IP addresses for defense-in-depth.
• Application impact: Before removing rules, ensure your application does not rely on public access to Memcached. Legitimate clients should connect through private networks, VPNs, or AWS PrivateLink.