<  Back to rules search

ElastiCache cluster is not using default ports

elasticache

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Change your AWS ElastiCache cluster endpoint port to a non-default port.

Rationale

Using the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.

Remediation

Console

Follow the Finding connection endpoints console documentation to learn how to find and modify your cluster’s endpoint port.

CLI

  1. Run aws elasticache describe-cache-clusters with your ElastiCache cluster ID to output the existing cluster configuration.

describe-cache-clusters.sh

  aws elasticache describe-cache-clusters
    --cache-cluster-id your-cc-id

  
  1. Run aws elasticache create-cache-cluster with the cluster data returned in the previous step. Configure the new cache cluster with a custom value for the endpoint port. This returns new cluster metadata.

create-cache-cluster.sh

  aws elasticache create-cache-cluster
    --cache-cluster-id new-cc-id
    ...
    --port 10001

    
  1. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run delete-cache-cluster with the original cluster ID.

delete-cache-cluster.sh

  aws elasticache delete-cache-cluster
    --cache-cluster-id your-cc-id