Skip to main content

Ensure No EC2 Instances Allow Internet Access to Redis (Port 6379)

Overview

This check identifies EC2 instances with security groups that allow unrestricted internet access to Redis on TCP port 6379. Redis is an in-memory data store commonly used for caching, session management, and message brokering. Exposing Redis to the internet creates serious security risks.

Risk

Allowing internet access to Redis (port 6379) is critical because:

  • Data exposure: Redis often stores sensitive data like session tokens, user credentials, and cached application data. Unauthorized users could read this information.
  • Data corruption: Attackers can execute commands (SET, DEL, FLUSHALL) to modify or delete your data.
  • Service disruption: Internet-exposed Redis servers are frequently targeted by automated scanners, which can exhaust resources and disrupt operations.
  • Lateral movement: A compromised Redis instance can be used as a foothold to attack other resources in your network.

Remediation Steps

Prerequisites

You need:

  • Access to the AWS Console with permissions to modify security groups, OR
  • AWS CLI configured with appropriate credentials
AWS CLI setup

If you do not have the AWS CLI installed, follow the AWS CLI installation guide.

Configure your credentials:

aws configure

Verify access:

aws sts get-caller-identity

AWS Console Method

  1. Sign in to the AWS Console
  2. Navigate to EC2 > Security Groups (in the left sidebar under "Network & Security")
  3. Find the security group associated with the affected EC2 instance
  4. Select the security group and click the Inbound rules tab
  5. Click Edit inbound rules
  6. Locate any rule that allows port 6379 from 0.0.0.0/0 or ::/0
  7. Either:
    • Delete the rule if Redis does not need external access, OR
    • Restrict the source to a specific IP address or CIDR range (e.g., your VPC CIDR like 10.0.0.0/8)
  8. Click Save rules
AWS CLI (optional)

Step 1: Identify the security group

Find security groups with open Redis access:

aws ec2 describe-security-groups \
    --region us-east-1 \
    --filters "Name=ip-permission.from-port,Values=6379" \
              "Name=ip-permission.to-port,Values=6379" \
              "Name=ip-permission.cidr,Values=0.0.0.0/0" \
    --query "SecurityGroups[*].[GroupId,GroupName]" \
    --output table

Step 2: Revoke the insecure rule

Remove internet access to Redis (replace <SECURITY_GROUP_ID> with your actual security group ID):

# Remove IPv4 internet access
aws ec2 revoke-security-group-ingress \
    --region us-east-1 \
    --group-id <SECURITY_GROUP_ID> \
    --protocol tcp \
    --port 6379 \
    --cidr 0.0.0.0/0

# Remove IPv6 internet access (if applicable)
aws ec2 revoke-security-group-ingress \
    --region us-east-1 \
    --group-id <SECURITY_GROUP_ID> \
    --protocol tcp \
    --port 6379 \
    --cidr ::/0

Step 3: (Optional) Add a restricted rule

If Redis needs to be accessible from trusted networks:

aws ec2 authorize-security-group-ingress \
    --region us-east-1 \
    --group-id <SECURITY_GROUP_ID> \
    --protocol tcp \
    --port 6379 \
    --cidr 10.0.0.0/8
CloudFormation (optional)

Use this template to create a security group with properly restricted Redis access:

AWSTemplateFormatVersion: '2010-09-09'
Description: Security group with restricted Redis access (no internet exposure)

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC where the security group will be created

  TrustedCidr:
    Type: String
    Default: 10.0.0.0/8
    Description: Trusted CIDR range allowed to access Redis

Resources:
  RestrictedRedisSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group with Redis access restricted to trusted networks
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 6379
          ToPort: 6379
          CidrIp: !Ref TrustedCidr
          Description: Redis access from trusted network only
      Tags:
        - Key: Name
          Value: restricted-redis-sg

Outputs:
  SecurityGroupId:
    Description: ID of the security group with restricted Redis access
    Value: !Ref RestrictedRedisSecurityGroup

Deploy the stack:

aws cloudformation create-stack \
    --region us-east-1 \
    --stack-name restricted-redis-sg \
    --template-body file://template.yaml \
    --parameters ParameterKey=VpcId,ParameterValue=<YOUR_VPC_ID> \
                 ParameterKey=TrustedCidr,ParameterValue=10.0.0.0/8
Terraform (optional)

Use this configuration to create a security group with properly restricted Redis access:

variable "vpc_id" {
  description = "VPC ID where the security group will be created"
  type        = string
}

variable "trusted_cidr_blocks" {
  description = "List of trusted CIDR blocks allowed to access Redis"
  type        = list(string)
  default     = ["10.0.0.0/8"]
}

resource "aws_security_group" "restricted_redis" {
  name        = "restricted-redis-sg"
  description = "Security group with Redis access restricted to trusted networks"
  vpc_id      = var.vpc_id

  # Redis access restricted to trusted networks only
  ingress {
    description = "Redis from trusted networks"
    from_port   = 6379
    to_port     = 6379
    protocol    = "tcp"
    cidr_blocks = var.trusted_cidr_blocks
  }

  egress {
    description = "Allow all outbound traffic"
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "restricted-redis-sg"
  }
}

output "security_group_id" {
  description = "ID of the security group with restricted Redis access"
  value       = aws_security_group.restricted_redis.id
}

Apply the configuration:

terraform init
terraform plan -var="vpc_id=<YOUR_VPC_ID>"
terraform apply -var="vpc_id=<YOUR_VPC_ID>"

Verification

After making changes, verify that Redis is no longer exposed to the internet:

  1. In the AWS Console, go to EC2 > Security Groups
  2. Select the modified security group
  3. Check the Inbound rules tab
  4. Confirm there are no rules allowing port 6379 from 0.0.0.0/0 or ::/0
CLI verification
# Check for any remaining open Redis rules
aws ec2 describe-security-groups \
    --region us-east-1 \
    --group-ids <SECURITY_GROUP_ID> \
    --query "SecurityGroups[*].IpPermissions[?FromPort==\`6379\`]" \
    --output json

The output should show no rules with 0.0.0.0/0 or ::/0 in the IpRanges or Ipv6Ranges fields.

Additional Resources

Notes

  • Private subnets: For best security, place Redis instances in private subnets with no direct internet access.
  • Authentication: Enable Redis AUTH to require password authentication, even for internal access.
  • Encryption: Consider using Redis with TLS encryption for data in transit.
  • ElastiCache: For production workloads, consider using Amazon ElastiCache for Redis, which provides managed security features.
  • Multiple security groups: An EC2 instance may have multiple security groups attached. Check all of them for insecure rules.
  • Network ACLs: Security groups are not the only network control. Also review Network ACLs for defense in depth.