EC2 instance does not allow ingress from the Internet to TCP port 6379 (Redis)
ec2_instance_port_redis_exposed_to_internet
EC2 instances with security groups permitting Internet access to Redis on TCP 6379 are identified.
Exposure is assessed using public IP assignment and subnet reachability to reflect how broadly the service can be contacted.
Risk
Exposed Redis allows remote access to cached data and secrets, reducing confidentiality. Unauthorized commands (SET, DEL, FLUSHALL, config changes) can corrupt or erase data, harming integrity. Internet scanning and abuse can exhaust memory and disrupt service, degrading availability and enabling lateral movement.
prowler aws --checks ec2_instance_port_redis_exposed_to_internet
prowler aws --checks ec2_instance_port_redis_exposed_to_internet --fixer
Recommendation
Apply least privilege network access: restrict Redis to trusted sources or VPC-only, place instances in private subnets, and avoid public IPs.
Layer controls with NACLs and host firewalls, enforce authentication and TLS on Redis, and use VPN/bastion or proxies to broker access.
Remediation
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 6379 --cidr 0.0.0.0/0
- In the AWS Console, go to EC2 > Security Groups
- Select the security group attached to the affected instance
- Open the Inbound rules tab and click Edit inbound rules
- Find any rule allowing TCP port 6379 from 0.0.0.0/0 or ::/0
- Delete the rule, or change the source to a specific trusted CIDR or security group
- Click Save rules
Source Code
Resource Type
AwsEc2Instance
References
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
- https://support.icompaas.com/support/solutions/articles/62000233806-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-6379-redis-
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-redis-access.html