• AWS resources are secure by default which is a good thing. However, what happens when you want to open things up for testing and development?

    Consider the case of making AWS-hosted Redis accessible from outside of the AWS network.

    You can use elasticache. Elasticache can be configured to be accessible outside of AWS, but not without difficulty. 

    I took the DIY approach and installed Redis on a clean EC2 instance. Exposing Redis on an EC2 instance is relatively straightforward.

    Add an Inbound Rule Exposing Your Redis Port

    Find the security group associated with you EC2 instance and add a custom TCP inbound rule exposing whatever port you intend to use (in the screenshot below, port 6379). 

    Note that using the CIDR IP 0.0.0.0/0 allows whitelists all possible IP addresses on port 6379. Therefore you must password protect your Redis instance by uncommenting requirepass in your Redis configuration file.

    Redis has full access to the filesystem (with the default configuration). If Redis is exposed on a port and no password is set it's trivially easy for malicious actors to co-opt your server by using Redis to write to ~/.ssh/authorized_keys:

    Yes. I successfully gained access as the Redis user, with a proper shell, in like five seconds. Courtesy of a Redis instance unprotected being, basically, an on-demand-write-this-file server, and in this case, by ssh not being conservative enough to deny access to a file which is all composed of corrupted keys but for one single entry. However ssh is not the problem here, once you can write files, even with binary garbage inside, it’s a matter of time and you’ll gain access to the system in one way or the other. 

    Disable Protected Mode 

    Edit your Redis configuration to disable protected mode:

    sed -i 's/protected-mode yes/protected-mode no/' /path/to/your/redis.conf

    Bind 0.0.0.0 (Or Comment Out the Line)

    sed -i 's/bind\s127.0.0.1/bind 0.0.0.0/' /path/to/your/redis.conf

    Password-Protect Your Redis Instance

    Redis is fast and millions of passwords can be checked per second. Therefore you need a really difficult password.

    Edit your Redis configuration such that requirepass is uncommented or copy the following line.

    sed -i "s/# requirepass.*/requirepass MY_EXTREMELY_DIFFICULT_PASSWORD/" /path/to/your/redis.conf

    Disabling The Firewall

    If you're having trouble connecting to your EC2-hosted Redis, you may need to disable iptables.

    service iptables save
    service iptables stop
    chkconfig iptables off

    Installing Redis On EC2

    Some notes on installation:

    • You don't need to SSH into your instance to install Redis. Instead, you can supply a script via the user-data argument. user-data is just a bash script that's run automatically once on the instance after deployment. If you're creating your instance from the command line, AWS expects user-data to be a string, e.g., '#!/usr/bin/env bash....'. If you're using the AWS SDK, the parameter is named UserData and must be base64 encoded. For example: ec2.launchInstances({ UserData: fs.readFileSync('script.sh', { encoding: 'base64' }).