Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Unrestricted Memcached Access

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Very High (act immediately)
Rule ID: EC2-075

Check your Amazon EC2 security groups for inbound rules that allow unrestricted access (i.e., 0.0.0.0/0 or ::/0) on TCP and/or UDP port 11211 in order to reduce the attack surface and protect the Memcached cache server instances associated with your security groups. Memcached is an open-source, high-performance, distributed memory object caching system, intended for use in speeding up dynamic websites and web applications by alleviating database load.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Allowing unrestricted inbound/ingress access on TCP and/or UDP port 11211 (Memcached) to your Amazon EC2 instances can increase opportunities for malicious activities such as DDoS amplification attacks, which can have a serious impact on the health and stability of your web services and applications.

Audit

To determine if your Amazon EC2 security groups allow unrestricted Memcached access, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Click inside the Find security groups by attribute or tag box located under Security Groups, type 11211 and press Enter, then select the following filters from the Client filters category: Protocol = TCP, Protocol = UDP. This will return only the security groups that allow traffic on TCP/UDP port 11211 (Memcached).

05 Select the security group that you want to examine and choose the Inbound rules tab from the console split panel to access the inbound rules created for the selected group.

06 Check the configuration value available in the Source column for any inbound rules with the Port range set to 11211. If one or more ingress rules have the Source value set to 0.0.0.0/0 or ::/0 (i.e., Anywhere), the selected Amazon EC2 security group allows unrestricted traffic on TCP/UDP port 11211, therefore, the Memcached service access to the associated EC2 instance(s) is not secured.

07 Repeat steps no. 5 and 6 for each Amazon EC2 security group returned as result in step no. 4.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with predefined and custom query filters to expose the ID of each Amazon EC2 security group that allows unrestricted inbound access on TCP/UDP port 11211 (Memcached): 

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=ip-permission.from-port,Values=11211 Name=ip-permission.to-port,Values=11211 Name=ip-permission.cidr,Values='0.0.0.0/0','::/0'
	--output table
	--query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested security group ID(s): 

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
+------------------------+

If the describe-security-groups command does not produce an output, there are no security groups that allow unrestricted inbound access on TCP/UDP port 11211 in the selected AWS region. If the command output returns a table with one or more security group IDs, as shown in the example above, those Amazon EC2 security groups allow unrestricted traffic on TCP/UDP port 11211. As a result, the Memcached service access to the associated EC2 instance(s) is not secured.

03 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 and 2 to perform the Audit process for other regions.

Remediation / Resolution

To update the inbound rule configuration for your Amazon EC2 security groups in order to restrict Memcached service access to trusted networks only, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Configure security group to restrict inbound Memcached access to trusted servers only",
	"Resources": {
		"EC2SecurityGroup": {
			"Type": "AWS::EC2::SecurityGroup",
			"Properties": {
				"GroupName": "cc-instance-security-group",
				"GroupDescription": "Allow Memcached access",
				"VpcId": "vpc-01234abcd1234abcd",
				"SecurityGroupIngress": [
					{
						"Description": "Allow inbound Memcached traffic",
						"IpProtocol": "tcp",
						"FromPort": 11211,
						"ToPort": 11211,
						"CidrIp": "0.0.0.0/0"
						"SourceSecurityGroupId": "sg-0abcdabcdabcdabcd"
					}
				],
				"SecurityGroupEgress": [
					{
						"Description": "Allow all outbound traffic",
						"IpProtocol": "-1",
						"FromPort": 0,
						"ToPort": 65535,
						"CidrIp": "0.0.0.0/0"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure security group to restrict inbound Memcached access to trusted servers only
	Resources:
	EC2SecurityGroup:
		Type: AWS::EC2::SecurityGroup
		Properties:
		GroupName: cc-instance-security-group
		GroupDescription: Allow Memcached access
		VpcId: vpc-01234abcd1234abcd
		SecurityGroupIngress:
			- Description: Allow inbound Memcached traffic
			IpProtocol: tcp
			FromPort: 11211
			ToPort: 11211
			CidrIp: '0.0.0.0/0'
			SourceSecurityGroupId: sg-0abcdabcdabcdabcd
		SecurityGroupEgress:
			- Description: Allow all outbound traffic
			IpProtocol: '-1'
			FromPort: 0
			ToPort: 65535
			CidrIp: '0.0.0.0/0'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}
provider "aws" {
	profile = "default"
	region  = "us-east-1"
}
resource "aws_security_group" "ec2-security-group" {
	name        = "cc-instance-security-group"
	description = "Allow Memcached access"
	vpc_id      = "vpc-01234abcd1234abcd"
	ingress {
		description      = "Allow inbound Memcached traffic"
		from_port        = 11211
		to_port          = 11211
		protocol         = "tcp"
		cidr_blocks      = ["0.0.0.0/0"]
		security_groups  = ["sg-0abcdabcdabcdabcd"]
	}
	egress {
		description      = "Allow all outbound traffic"
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Click inside the Find security groups by attribute or tag box located under Security Groups, type 11211 and press Enter, then select the following filters from the Client filters category: Protocol = TCP, Protocol = UDP. This will return only the security groups that allow traffic on TCP/UDP port 11211 (Memcached).

05 Select the Amazon EC2 security group that you want to configure.

06 Select the Inbound rules tab from the console split panel and choose Edit inbound rules.

07 On the Edit inbound rules configuration page, change the traffic source for the inbound rule that allows unrestricted access on TCP/UDP port 11211, by performing one of the following actions:

  1. Select My IP from the Source dropdown list to allow inbound traffic only from your current IP address.
  2. Select Custom from the Source dropdown list and enter one of the following sources based on your access requirements:
    1. The static IP address of the permitted host in CIDR notation (e.g., 10.0.0.5/32).
    2. The IP address range of the permitted network/subnetwork in CIDR notation, for example, 10.0.5.0/24.
    3. The name or ID of another security group available in the Security Groups section.
    4. The name or ID of a prefix list available in the Prefix lists section. Prefix lists simplify security group configuration by grouping frequently used CIDR blocks.
  3. Choose Save rules to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each Amazon EC2 security group that allows unrestricted Memcached access.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) with the ID of the Amazon EC2 security group that you want to configure as the identifier parameter, to remove the inbound rules that allow unrestricted access on TCP port 11211 (Memcached): 

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--ip-permissions IpProtocol=tcp,FromPort=11211,ToPort=11211,IpRanges=[{CidrIp="0.0.0.0/0"}],Ipv6Ranges=[{CidrIpv6="::/0"}]
	--query 'Return'

02 The command output should return true if the command request succeeds: 

true

03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed in the previous step with a different set of parameters in order to restrict access on TCP/UDP port 11211 to trusted entities only (IP addresses, IP address ranges, security groups, or prefix lists). To create and attach custom inbound (ingress) rules to the selected Amazon EC2 security group based on your access requirements, use one of the following options (the command output should return true if the command request succeeds):

  1. Add an inbound rule that allows traffic from an authorized static IP address via TCP port 11211, using CIDR notation (e.g., 10.0.0.5/32). For inbound rules with UDP ports, run the command with --protocol udp: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 11211
	--cidr 10.0.0.5/32
	--query 'Return'
  2. Add an ingress rule that allows traffic from a trusted IP address range via TCP port 11211, using CIDR notation (for example, 10.0.5.0/24). For inbound rules with UDP ports, run the command with --protocol udp: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 11211
	--cidr 10.0.5.0/24
	--query 'Return'
  3. Add an inbound rule that allows traffic from another security group (e.g., sg-01234123412341234) available in the same AWS cloud region via TCP port 11211. For inbound rules with UDP ports, run the command with --protocol udp: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 11211
	--source-group sg-01234123412341234
	--query 'Return'
  4. Add an ingress rule that allows traffic from an AWS prefix list (e.g., pl-0123abcd) via TCP port 11211. For inbound rules with UDP ports, run the command with IpProtocol=udp: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--ip-permissions 'IpProtocol=tcp,FromPort=11211,ToPort=11211,PrefixListIds=[{PrefixListId=pl-0123abcd}]'
	--query 'Return'

04 Repeat steps no. 1 – 3 for each Amazon EC2 security group that allows unrestricted CIFS access.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other regions.

References

Publication date Dec 14, 2020

Related EC2 rules