Redis cache is accessible without authentication Affecting Redis service in Azure

Severity Framework Snyk CCSS

Rule category IAM / Authentication

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM

Snyk ID SNYK-CC-00571
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Unauthenticated users will be able to access the data stored in the cache.

How to fix?

Set authnotrequired to Disabled in redisConfiguration or remove the attribute entirely.

Example Configuration

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Cache/redis",
            "apiVersion": "2022-06-01",
            "name": "allowed1",
            "location": "[resourceGroup().location]",
            "properties": {
                "enableNonSslPort": false,
                "minimumTlsVersion": "1.2",
                "redisConfiguration": {
                    "maxfragmentationmemory-reserved": "10",
                    "maxmemory-reserved": "10",
                    "maxclients": "10000"

                },
                "sku": {
                    "capacity": 1,
                    "family": "C",
                    "name": "Standard"
                },
                "tenantSettings": {}
            }
        }
    ]
}

ARM

Microsoft.Cache redis

Terraform

azurerm_redis_cache

References

Azure security baseline for Redis Cache