How Can I Secure My DCS Redis Instances?

Redis is one of the most powerful and widely used open-source cache technologies. However, the open-source Redis does not have robust security features of its own. It is vulnerable to malicious Internet attacks, possibly causing data breaches.

To secure your DCS Redis instances, consider taking the following advice:

• Network connection configurations
  1. Encrypt sensitive data and disable public access.

     Sensitive data must be encrypted before being stored. Do not use public access unless otherwise required.

  2. Configure access rules for your security groups.

     Security groups and VPCs are designed for securing network access. Allow access over as few ports as possible to avoid risks.

  3. Configure ECS firewalls.

     Configure firewall filtering rules for the ECS where your client runs.

  4. Set the instance password.
  5. Configure a whitelist.
• redis-cli usage
  1. Hide the password.

     Problem: If the -a <password> option is used, the password may show up when the ps command is run.

     Solution: Modify the Redis source code. Hide the password immediately after starting redis-cli by calling the main function.

  2. Disable sudo in running scripts.

     Problem: Parameters for starting redis-cli contain sensitive patterns related to the password, which may show up when the ps command is run and may be logged.

     Solution: Access the instance by calling APIs (or through redis-py in Python). Do not allow switching to the dbuser user using sudo in redis-cli.