🛡️ AWS EC2 Security Group allows unrestricted traffic to MongoDB🟢

• Contextual name: 🛡️ Security Group allows unrestricted traffic to MongoDB🟢
• ID: /ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mongodb
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EC2 Security Group
  • 🔌 AWS EC2 Security Group Rule - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Unrestricted MongoDB Access
• Internal: dec-x-63737248

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-63737248	1

Description

Open File

Description

Audit and modify AWS EC2 Security Group rules to restrict access to MongoDB instances by blocking unrestricted inbound traffic to ports 27017 - 27020. The access should be limited to specific IP addresses or internal networks to reduce the risk of unauthorized access and potential data breaches.

Rational

MongoDB is a NoSQL database, and exposing it to the open internet (e.g., via 0.0.0.0/0) poses a significant security risk. Unrestricted access can lead to data exfiltration, unauthorized changes, and other malicious activities. Restricting access to MongoDB to trusted IP ranges or systems ensures that only authorized users or applications can interact with the database, mitigating the risk of security breaches and reduces the attack surface.

Impact

Requires careful implementation to ensure legitimate users and systems maintain access.

Audit

This policy marks an EC2 Security Group as INCOMPLIANT if it contains a rule that meets all the following conditions:

• The Direction is set to Inbound.

... see more

Remediation

Open File

Remediation

From Command Line

1. Run the following command to remove or modify the unrestricted rule for MongoDB access:

aws ec2 revoke-security-group-ingress \
--region {{region-name}} \
--group-id {{security-group-id}} \
--protocol {{protocol}} \
--port {{27017}} \
--cidr {{0.0.0.0/0 or ::/0}}

• Optionally, run the authorise-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0.

2. Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:

aws ec2 describe-security-groups \
--region {{region-name}} \
--group-ids {{security-group-id}} \
--query 'SecurityGroups[*].IpPermissions[?FromPort==`27017`].{CIDR:IpRanges[*].CidrIp,Port:FromPort}'

3. Monitor MongoDB access to ensure it's unaffected by the changes.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 36d access management controls —only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);		14	14		no data
💼 APRA CPG 234 → 💼 36e hardware and software asset controls —appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;		16	16		no data
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;		29	30		no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		35	37		no data
💼 APRA CPG 234 → 💼 52d appropriate segmentation of data, based on sensitivity and access needs;		10	10		no data
💼 APRA CPG 234 → 💼 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.		10	10		no data
💼 Cloudaware Framework → 💼 Threat Protection			36		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	52		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			52		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.4.1 Information access restriction		19	20		no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	63		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56		no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			150		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			120		no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			164		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			140		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			156		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			103		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-7 BOUNDARY PROTECTION	23	5	31		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	52		no data
💼 PCI DSS v3.2.1 → 💼 1.1 Establish and implement firewall and router configuration standards	7	1	39		no data
💼 PCI DSS v3.2.1 → 💼 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.		1	27		no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	60		no data
💼 PCI DSS v3.2.1 → 💼 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.	7	8	36		no data
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		6	24		no data
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			24		no data
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			24		no data
💼 PCI DSS v4.0.1 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.			34		no data
💼 PCI DSS v4.0.1 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.			27		no data
💼 PCI DSS v4.0.1 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.			27		no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			60		no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			60		no data
💼 PCI DSS v4.0.1 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.			19		no data
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			24		no data
💼 PCI DSS v4.0 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.		24	34		no data
💼 PCI DSS v4.0 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.		15	27		no data
💼 PCI DSS v4.0 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.		6	27		no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	60		no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			60		no data
💼 PCI DSS v4.0 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.		7	19		no data
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.		7	24		no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		36	38		no data