Unrestricted MongoDB Access Should Not Be Allowed

More Info:

No security group should allow unrestricted ingress access to MongoDB port 27017.

Risk Level

Medium

Address

Security

Compliance Standards

CBP, HITRUST, AWSWAF, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate unrestricted MongoDB access in AWS using AWS CLI, follow the below steps:

Open the AWS CLI on your local machine.
Run the following command to list all the MongoDB instances running in your AWS account:

aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,Engine]' --filters "Name=engine,Values=mongodb"

Identify the MongoDB instances that have unrestricted access.
Run the following command to modify the security group associated with the MongoDB instance to allow access only from specific IP addresses:

aws rds modify-db-instance --db-instance-identifier <db-instance-identifier> --vpc-security-group-ids <security-group-id>

Note: Replace <db-instance-identifier> with the identifier of the MongoDB instance and <security-group-id> with the ID of the security group that allows access only from specific IP addresses. 5. Verify the changes by running the following command:

aws rds describe-db-instances --db-instance-identifier <db-instance-identifier> --query 'DBInstances[*].[DBInstanceIdentifier,VpcSecurityGroups[0].VpcSecurityGroupId]'

Note: Replace <db-instance-identifier> with the identifier of the MongoDB instance.After these steps, the MongoDB instance will only allow access from specific IP addresses.

Using Python

To remediate unrestricted MongoDB access in AWS using Python, you can follow these steps:

Identify the MongoDB instances running in your AWS environment.
For each instance, check if the security group associated with it allows unrestricted access to the MongoDB port (default port is 27017).
If the security group allows unrestricted access, update the security group to restrict access to the MongoDB port to only the necessary IP addresses or CIDR ranges.
You can use the boto3 library in Python to interact with the AWS API and perform the above steps.

Here’s a sample Python code that can help you remediate the issue:

import boto3

# Initialize the AWS client
client = boto3.client('ec2')

# Get a list of all MongoDB instances
response = client.describe_instances(
    Filters=[
        {
            'Name': 'tag:Name',
            'Values': ['*mongodb*']
        }
    ]
)

# Loop through each instance and update its security group
for reservation in response['Reservations']:
    for instance in reservation['Instances']:
        for sg in instance['SecurityGroups']:
            # Check if the security group allows unrestricted access to MongoDB port
            ip_permissions = sg['IpPermissions']
            unrestricted_access = False
            for permission in ip_permissions:
                if permission['IpProtocol'] == 'tcp' and permission['FromPort'] == 27017 and permission['ToPort'] == 27017:
                    for ip_range in permission['IpRanges']:
                        if ip_range['CidrIp'] == '0.0.0.0/0':
                            unrestricted_access = True
                            break
            
            # If unrestricted access is allowed, update the security group
            if unrestricted_access:
                response = client.authorize_security_group_ingress(
                    GroupId=sg['GroupId'],
                    IpPermissions=[
                        {
                            'IpProtocol': 'tcp',
                            'FromPort': 27017,
                            'ToPort': 27017,
                            'IpRanges': [
                                {
                                    'CidrIp': '10.0.0.0/8' # Replace with the necessary IP addresses or CIDR ranges
                                }
                            ]
                        }
                    ]
                )
                print(response)

Note: This is just a sample code and may need to be modified based on your specific AWS environment and requirements. It’s recommended to test the code in a non-production environment before applying it to your production environment.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unrestricted MongoDB Access Should Not Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: