-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Discussion]: elasticache_replication_group AuthTokenUpdateStrategy set to ROTATE allows passwordless login #33439
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
Hey @Phylu - thank you for the detailed discussion! I wanted to share some context on the approach we're taking. We've had a long standing issue (#11524) to address your third point of allowing practitioners to specify the To address the concerns raised here around the initial addition of an Please let us know if there is anything else you feel like should be included as part of this change! |
Hey @jar-b Awesome! This looks like a very good solution that is adressing the issue by updating the documentation and enabling a Thanks a lot for resolving this! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Description
Assume the following scenario:
elasticache_replication_group
that does not have theauth_token
variable set.elasticache_replication_group
group by setting theauth_token
variable.After reading the documentation "(Optional) Password used to access a password protected server." [1], I would expect that the redis cluster can now only be accessed using the password.
However, passwordless access is still possible. This is due to the
AuthTokenUpdateStrategy
being set toROTATE
[2], which is what the ElastiCache documentation suggest: "After the modification is complete, the cluster supports the AUTH token specified in the auth-token parameter in addition to supporting connecting without authentication." [3].I see this as an important security issue as the expected password protection is not in effect. I see the following possibilities
AuthTokenUpdateStrategy=SET
when enabling an auth token for the first time. Then the provider can (and should) switch theAuthTokenUpdateStrategy
accordingly.auth_token
for the first time, passwordless usage of the redis cluster is still possible. It must also be documented that when theauth_token
is changed in terraform, a new token is set, but the old token is still active. (!)AuthTokenUpdateStrategy
using a terraform variable [4] in order to allow a real change of the auth token and not only adding a new auth token (while keeping the old one active).What way forward do you suggest? I am happy to take care of the documentation change and might also give the additional variable a try if this makes sense.
References
[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group
[2] https://github.com/hashicorp/terraform-provider-aws/blob/cd2c2fbaf85651452e44eb0ff2a017ac0824d315/internal/service/elasticache/replication_group.go#L828C51-L828C51
[3] https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html#auth-modifyng-token
[4] #11524
Would you like to implement a fix?
Yes
The text was updated successfully, but these errors were encountered: