Accessing Redis from an external app not hosted on AWS

Question

Hello, I am looking into using redis from an app not hosted in AWS. I saw in documentation that it's not recommended due to security concerns other than in testing/development with a VPN. Is there any documentation on what those concerns are? I need to present to my manager an explanation of why it's not recommended.

Accepted Answer

Given that Redis is a database (yes, in-memory but that's the idea - for speed): We strongly recommend that you don't expose databases to the Internet directly. It opens them to attack, abuse, etc.

Could you limit access to Redis (or any database) to specific remote IP addresses? Yes. But it's pretty easy to make a mistake there; and if there are many users of the application then that becomes impractical and difficult to maintain.

Could you limit access using some sort of authentication (could be username/password; could be API key; etc.)? Yes. But now your database is open to brute-force attacks; potential DDoS; and so on.

If you allow access to Redis via a VPN (presumably site-so-site but client VPN also qualifies) and only allow access via the VPN then generally (from a security perspective) that's a "private" connection (the "P" in VPN") so you have controlled who can connect.

TL;DR: Security best practice says "don't allow access to databases over the Internet unless you really know what you're getting into".

Accessing Redis from an external app not hosted on AWS

相關內容