Ensure GCP Memorystore for Redis has AUTH enabled

Error: GCP Memorystore for Redis has AUTH disabled

Bridgecrew Policy ID: BC_GCP_GENERAL_24
Checkov Check ID: CKV_GCP_95
Severity: MEDIUM

GCP Memorystore for Redis has AUTH disabled

Memorystore for Redis has AUTH disabled

Description

AUTH is an optional security feature on Memorystore for Redis that requires incoming connections to authenticate with an AUTH string. Every AUTH string is a Universally Unique Identifier (UUID), and each Redis instance with AUTH enabled has a unique AUTH string.

When you enable the AUTH feature on your Memorystore instance, incoming client connections must authenticate in order to connect. Once a client authenticates with an AUTH string, it remains authenticated for the lifetime of that connection, even if you change the AUTH string.

We recommend that you enble AUTH on your Memorystore for Redis database to protect against unwanted or non-approved connections.

Fix - Runtime

GCP Console

To enable AUTH on your Memorystore for Redis database:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Memorystore for Redis.
  3. View your instance's Instance details page by clicking on your Instance ID.
  4. Select the EDIT button.
  5. Scroll to the Security section and select the checkbox for Enable AUTH.

CLI Command

To enable AUTH on your Memorystore for Redis instance execute the following command:

gcloud beta redis instances update INSTANCE-ID \
  --enable-auth \
  --region=REGION

Replace INSTANCE-ID with your Memorystore for Redis instance ID. Replace REGION with the region where your Memorystore for Redis database lives.

Fix - Buildtime

Terraform

  • Resource: google_redis_instance
  • Field: auth_enabled
resource "google_redis_instance" "cache" {
  name           = "memory-cache"
  display_name   = "memory cache db"
  tier           = "STANDARD_HA"
  memory_size_gb = 1

- auth_enabled = false
+ auth_enabled = true