ElastiCache clusters should use a non-default port for communication

elasticache

Description

Change your AWS ElastiCache cluster endpoint port to a non-default port.

Rationale

Using the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.

Remediation

From the console

Follow the Finding connection endpoints console documentation to learn how to find and modify your cluster’s endpoint port.

From the command line

  1. Run aws elasticache describe-cache-clusters with your ElastiCache cluster ID to output the existing cluster configuration.

describe-cache-clusters.sh

  aws elasticache describe-cache-clusters
    --cache-cluster-id your-cc-id
  1. Run aws elasticache create-cache-cluster with the cluster data returned in the previous step. Configure the new cache cluster with a custom value for the endpoint port. This returns new cluster metadata.

create-cache-cluster.sh

  aws elasticache create-cache-cluster
    --cache-cluster-id new-cc-id
    ...
    --port 10001
  1. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run delete-cache-cluster with the original cluster ID.

delete-cache-cluster.sh

  aws elasticache delete-cache-cluster
    --cache-cluster-id your-cc-id