Redis cache allows non SSL connections

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: e29a75e6-aba3-4896-b42d-b87818c16b58

Cloud Provider: Azure

Platform: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Description

Allowing non-SSL connections to Azure Redis Cache resources exposes sensitive data in transit to potential interception or man-in-the-middle attacks, as information exchanged between clients and the Redis service will not be encrypted. To mitigate this risk, the enable_non_ssl_port attribute in the Terraform resource should be set to false, ensuring all connections use secure TLS communication. For example:

resource "azurerm_redis_cache" "secure_example" {
  name                = "example-cache"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  capacity            = 2
  family              = "C"
  sku_name            = "Standard"
  enable_non_ssl_port = false
  minimum_tls_version = "1.2"

  redis_configuration {
  }
}

Neglecting this configuration can lead to exposure of authentication credentials and cached data, increasing the risk of data breaches and compliance violations.

Compliant Code Examples

resource "azurerm_redis_cache" "negative1" {
  name                = "example-cache"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  capacity            = 2
  family              = "C"
  sku_name            = "Standard"
  enable_non_ssl_port = false
  minimum_tls_version = "1.2"

  redis_configuration {
  }
}

resource "azurerm_redis_cache" "negative2" {
  name                = "example-cache"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  capacity            = 2
  family              = "C"
  sku_name            = "Standard"
 
  minimum_tls_version = "1.2"

  redis_configuration {
  }
}

Non-Compliant Code Examples

resource "azurerm_redis_cache" "positive1" {
  name                = "example-cache"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  capacity            = 2
  family              = "C"
  sku_name            = "Standard"
  enable_non_ssl_port = true
  minimum_tls_version = "1.2"

  redis_configuration {
  }
}