🛡️ Google GCE Network allows unrestricted traffic to MongoDB🟢
- Contextual name: 🛡️ GCE Network has Firewall Rules which allow unrestricted MongoDB access from the Internet🟢
- ID:
/ce/ca/google/vpc/network-mongodb-access - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logic
Description
Description
This policy identifies Google GCE Networks that have Firewall Rules allowing unrestricted incoming traffic (
0.0.0.0/0) from the internet to the standard MongoDB ports:TCP/27017-27019.In GCP, Firewall Rules are defined at the VPC Network level. Each rule either allows or denies traffic based on its configuration. These configurations specify the type of traffic (e.g., protocols and ports) and the source or destination (e.g., IP addresses, subnets, and instances).
Rationale
MongoDB is a widely used NoSQL database that, in many default configurations and older versions, lacks authentication and can be exposed to the internet. Publicly accessible MongoDB instances pose a severe security risk. Attackers continuously scan for open MongoDB ports, and upon discovery, can connect to the database to steal, delete, or encrypt data for ransom. Access to MongoDB ports should always be restricted to application servers or trusted administrative systems, following the principle of least privilege.
... see more
Remediation
Remediation
From Google Cloud Console
- Go to
VPC Network.- Go to the
Firewall Rules.- Click the
Firewall Ruleto be modified.- Click
Edit.- Modify
Source IP rangesto specificIP.- Click
Save.From Google Cloud CLI
Identify Firewall Rules Allowing Public Access
gcloud compute networks get-effective-firewalls default \
--format="table(NAME, DIRECTION, IP_RANGES)" \
--filter="IP_RANGES:0.0.0.0/0 AND DIRECTION:INGRESS"Restrict the Source Range
Once you have identified the firewall rules, update each one to restrict access to trusted CIDR ranges:
gcloud compute firewall-rules update {{firewall-rule-name}} \
--source-ranges={{cidr-range1}},{{cidr-range2}}