📝 Azure VM Scale Set Instance allows public access to MongoDB ports 🟢

• Contextual name: 📝 Instance allows public access to MongoDB ports 🟢
• ID: /ce/ca/azure/vm-scale-set/instance-allows-unrestricted-traffic-to-mongodb
• Located in: 📁 Azure VM Scale Set

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Azure VM Scale Set Instance
  • 🔌 Azure Network Security Group Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that Azure VM Scale Set Instances hosting MongoDB instances are not exposed to unrestricted public access on ports 27017 through 27020.

Network Security Group (NSG) rules should be configured to block inbound traffic to these ports from untrusted sources, and access should be limited to specific, authorized IP address ranges or internal networks. This minimizes the potential for unauthorized access and reduces the risk of data breaches.

Rational

MongoDB is a widely used NoSQL database that, when exposed to the public internet (e.g., via 0.0.0.0/0), presents significant security vulnerabilities. Unrestricted access to MongoDB ports allows malicious actors to perform unauthorized operations, such as data exfiltration, unauthorized modifications, or exploitation of known vulnerabilities. By restricting MongoDB access to trusted IP addresses or internal networks, organizations can limit exposure and ensure that only authorized systems and users are able to interact with the database, significantly reducing the attack surface.

... see more

Remediation

Open File

Remediation

Modify or Remove Insecure NSG Rule

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

• If the rule is not required: Remove the rule entirely.

• If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI

1. Delete the rule:

   az network nsg rule delete \
     --resource-group {{resource-group-name}} \
     --nsg-name {{nsg-name}} \
     --name {{rule-name}}

2. Restrict the rule:

   az network nsg rule update \
       --resource-group {{resource-group-name}} \
       --nsg-name {{nsg-name}} \
       --name {{rule-name}} \
       --source-address-prefixes {{trusted-cidr}} 

   Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 Cloudaware Framework → 💼 Public and Anonymous Access			69