For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-elasticache-using-default-port.md. A documentation index is available at /llms.txt.

ElastiCache using default port

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-elasticache-using-default-port

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Networking and Firewall

Learn More

Description

Amazon ElastiCache replication groups must not use engine default ports because default ports are easily discovered and increase the risk of automated scanning, brute-force attempts, and unauthorized access.

For AWS::ElastiCache::ReplicationGroup resources, ensure Properties.Port is not set to 6379 when Properties.Engine is redis, or to 11211 when Properties.Engine is memcached. Resources with those exact settings will be flagged.

Choose a non-default Port value if you require obscurity, but do not rely on port choice alone. Also restrict access with security groups, subnet/VPC controls, and parameter group settings.

Note that omitting the Port property typically causes the engine to use its default port. Explicitly configure a non-default port or enforce network-level restrictions to mitigate exposure.

Secure configuration example (CloudFormation YAML):

MyReplicationGroup:
  Type: AWS::ElastiCache::ReplicationGroup
  Properties:
    Engine: redis
    Port: 6380
    ReplicationGroupId: my-redis-cluster
    ReplicationGroupDescription: "Redis cluster on non-default port"

Compliant Code Examples

Resources:
  BasicReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      AutomaticFailoverEnabled: true    
      CacheNodeType: cache.r3.large
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      Engine: redis
      EngineVersion: '3.2'
      NumNodeGroups: '2'
      ReplicasPerNodeGroup: '3'
      Port: 6380
      PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
      ReplicationGroupDescription: A sample replication group
      SecurityGroupIds:
        - !Ref ReplicationGroupSG
      SnapshotRetentionLimit: 5
      SnapshotWindow: '10:00-12:00' 

Resources:
  BasicReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      AutomaticFailoverEnabled: true    
      CacheNodeType: cache.r3.large
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      Engine: memcached
      EngineVersion: '3.2'
      NumNodeGroups: '2'
      ReplicasPerNodeGroup: '3'
      Port: 11212
      PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
      ReplicationGroupDescription: A sample replication group
      SecurityGroupIds:
        - !Ref ReplicationGroupSG
      SnapshotRetentionLimit: 5
      SnapshotWindow: '10:00-12:00' 

{
  "Resources": {
    "BasicReplicationGroup": {
      "Type": "AWS::ElastiCache::ReplicationGroup",
      "Properties": {
          "AutomaticFailoverEnabled": true,            
          "CacheNodeType": "cache.r3.large",
          "CacheSubnetGroupName": {
              "Ref": "CacheSubnetGroup"
          },
          "Engine": "redis",
          "EngineVersion": "3.2",
          "NumNodeGroups": "2",
          "ReplicasPerNodeGroup": "3",
          "Port": 6380,
          "PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
          "ReplicationGroupDescription": "A sample replication group",
          "SecurityGroupIds": [
              {
                  "Ref": "ReplicationGroupSG"
              }
          ],
          "SnapshotRetentionLimit": 5,
          "SnapshotWindow": "10:00-12:00"
      }
    }
  }
}

Non-Compliant Code Examples

Resources:
  BasicReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      AutomaticFailoverEnabled: true    
      CacheNodeType: cache.r3.large
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      Engine: redis
      EngineVersion: '3.2'
      NumNodeGroups: '2'
      ReplicasPerNodeGroup: '3'
      Port: 6379
      PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
      ReplicationGroupDescription: A sample replication group
      SecurityGroupIds:
        - !Ref ReplicationGroupSG
      SnapshotRetentionLimit: 5
      SnapshotWindow: '10:00-12:00' 

Resources:
  BasicReplicationGroup:
    Type: 'AWS::ElastiCache::ReplicationGroup'
    Properties:
      AutomaticFailoverEnabled: true    
      CacheNodeType: cache.r3.large
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      Engine: memcached
      EngineVersion: '3.2'
      NumNodeGroups: '2'
      ReplicasPerNodeGroup: '3'
      Port: 11211
      PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
      ReplicationGroupDescription: A sample replication group
      SecurityGroupIds:
        - !Ref ReplicationGroupSG
      SnapshotRetentionLimit: 5
      SnapshotWindow: '10:00-12:00' 

{
  "Resources": {
    "BasicReplicationGroup": {
      "Type": "AWS::ElastiCache::ReplicationGroup",
      "Properties": {
          "AutomaticFailoverEnabled": true,            
          "CacheNodeType": "cache.r3.large",
          "CacheSubnetGroupName": {
              "Ref": "CacheSubnetGroup"
          },
          "Engine": "redis",
          "EngineVersion": "3.2",
          "NumNodeGroups": "2",
          "ReplicasPerNodeGroup": "3",
          "Port": 6379,
          "PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
          "ReplicationGroupDescription": "A sample replication group",
          "SecurityGroupIds": [
              {
                  "Ref": "ReplicationGroupSG"
              }
          ],
          "SnapshotRetentionLimit": 5,
          "SnapshotWindow": "10:00-12:00"
      }
    }
  }
}