访问配置了用户组访问控制的Valkey集群时，无密码也可连接的问题

When building applications in the AWS cloud environment, ElastiCache, as a managed in-memory cache service, often becomes a key component for improving application performance. ElastiCache supports both Valkey and Redis OSS engine. By choosing Valkey, customers can save up to 33% on costs with serverless and up to 20% with node-based ElastiCache compare to Redis OSS. Valkey is an open-source tool built under the Linux Foundation, fully compatible with Redis OSS v7.2. Recently, a customer encountered an issue while building a project requiring strict data access control with ElastiCache Valkey Engine: despite configuring user groups for access control, the 'default' user was able to connect to the ElastiCache cluster using any password. The customer found this surprising, but it's actually by design for compatibility purposes in AWS ElastiCache service. This article will reconstruct the customer's cluster configuration and provide solutions.

Problem Reconstruction

1. The customer used an ElastiCache Valkey cluster and selected a user group access control list. The chosen user group was demo-issue-group.

2.When creating a user group, the ElasticCache Redis engine was selected. The already created demo-redis user was added, and the user password was configured. The user did not notice the prompt in the management console during user group creation, indicating that a user with the default username must be added, but still added the system's pre-created default user with both user ID and username as "default".

3.After creation, the user group is shown in the figure below.

4. Using AWS CloudShell Valkey-cli tool to connect to the cluster, you can discover:

• No username or password is required to access the cluster and query successfully;
• If using the demo-redis user for authentication, connection is successful when the password is correct and fails when the password is incorrect.

Problem Cause Analysis

We noticed that when creating a Redis user group, a user with the username 'default' must be included. Upon examining the user provided by AWS with both user ID and username as 'default', we found that its authentication mode allows access without a password. This is also stated in AWS's official documentation, the original content is as follows: **ElastiCache automatically configures a default user with user ID and user name "default" and adds it to all user groups. You can't modify or delete this user. This user is intended for compatibility with the default behavior of previous Redis OSS versions and has an access string that permits it to call all commands and access all keys. To add proper access control to a cache, replace this default user with a new one that isn't enabled or uses a strong password. To change the default user, create a new user with the user name set to default. You can then swap it with the original default user. ** Therefore, when using a user group with this default user to connect to a Redis/Valkey cluster, no authentication information is needed to access the cluster.

Solution

• Option one, continue to use Redis engine user groups, replace the default user. The document provides operational instructions for replacing the default user.

1. Create a new user named default (note that user IDs cannot be duplicated, but usernames can be repeated).
2. Modify the user information of demo-issue-group and save it.
3. When the user group status becomes Active, perform verification.
4. Still using valkey-cli in AWS CloudShell for access: If connecting without a password and performing operations, it will prompt that you are not authenticated and unable to perform cache operations. Using the newly created default and demo-redis users to access, with the correct password, both can successfully connect and perform cache operations.

• Option 2: Use user groups with Valkey Engine. For user groups using the Valkey engine, a default user is not required. Additionally, Valkey user groups do not support users without authentication, which prevents login without a password.

Summary

In ElastiCache, Redis and Valkey provide slightly different authentication: When creating users:

1. Redis engine supports IAM authentication, password, or no authentication.
2. Valkey engine supports IAM authentication or password, but not no authentication. When creating user groups:
3. Redis engine user groups don't support Valkey engine users.
4. Valkey engine user groups support Redis engine users, but those users must have authentication enabled, not no-authentication mode.

Understanding these authentication differences between Redis and Valkey engines in AWS ElastiCache is crucial for building secure cache solutions. By properly configuring user authentication methods and user groups, you can effectively prevent unauthorized access and ensure your cached data receives appropriate protection. This experience also reminds us that even seemingly simple configurations in cloud services may hide security risks, requiring vigilance and thorough understanding of how each service operates.