AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Unrestricted MongoDB Access Should Not Be Allowed
More Info:
No security group should allow unrestricted ingress access to MongoDB port 27017.
Risk Level
Medium
Address
Security
Compliance Standards
CBP, HITRUST, AWSWAF, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the unrestricted MongoDB access issue in AWS, you can follow these steps:
- Open the AWS Management Console and navigate to the EC2 dashboard.
- Select the Security Groups option from the left-hand menu.
- Find the security group associated with the MongoDB instance that you want to restrict access to.
- Click on the security group to open the details page.
- Select the Inbound Rules tab.
- Locate the rule that allows unrestricted access to MongoDB (default port 27017).
- Click on the “Edit” button next to the rule.
- Change the Source field to restrict access to only the IP addresses or CIDR ranges that require access to the MongoDB instance.
- Click “Save” to apply the changes.
By following these steps, you have successfully remediated the unrestricted MongoDB access issue in AWS by restricting access to only authorized IP addresses or CIDR ranges.
To remediate unrestricted MongoDB access in AWS using AWS CLI, follow the below steps:
- Open the AWS CLI on your local machine.
- Run the following command to list all the MongoDB instances running in your AWS account:
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,Engine]' --filters "Name=engine,Values=mongodb"
- Identify the MongoDB instances that have unrestricted access.
- Run the following command to modify the security group associated with the MongoDB instance to allow access only from specific IP addresses:
aws rds modify-db-instance --db-instance-identifier <db-instance-identifier> --vpc-security-group-ids <security-group-id>
Note: Replace <db-instance-identifier> with the identifier of the MongoDB instance and <security-group-id> with the ID of the security group that allows access only from specific IP addresses.
5. Verify the changes by running the following command:
aws rds describe-db-instances --db-instance-identifier <db-instance-identifier> --query 'DBInstances[*].[DBInstanceIdentifier,VpcSecurityGroups[0].VpcSecurityGroupId]'
Note: Replace <db-instance-identifier> with the identifier of the MongoDB instance.
After these steps, the MongoDB instance will only allow access from specific IP addresses.
To remediate unrestricted MongoDB access in AWS using Python, you can follow these steps:
- Identify the MongoDB instances running in your AWS environment.
- For each instance, check if the security group associated with it allows unrestricted access to the MongoDB port (default port is 27017).
- If the security group allows unrestricted access, update the security group to restrict access to the MongoDB port to only the necessary IP addresses or CIDR ranges.
- You can use the boto3 library in Python to interact with the AWS API and perform the above steps.
Here’s a sample Python code that can help you remediate the issue:
import boto3
# Initialize the AWS client
client = boto3.client('ec2')
# Get a list of all MongoDB instances
response = client.describe_instances(
Filters=[
{
'Name': 'tag:Name',
'Values': ['*mongodb*']
}
]
)
# Loop through each instance and update its security group
for reservation in response['Reservations']:
for instance in reservation['Instances']:
for sg in instance['SecurityGroups']:
# Check if the security group allows unrestricted access to MongoDB port
ip_permissions = sg['IpPermissions']
unrestricted_access = False
for permission in ip_permissions:
if permission['IpProtocol'] == 'tcp' and permission['FromPort'] == 27017 and permission['ToPort'] == 27017:
for ip_range in permission['IpRanges']:
if ip_range['CidrIp'] == '0.0.0.0/0':
unrestricted_access = True
break
# If unrestricted access is allowed, update the security group
if unrestricted_access:
response = client.authorize_security_group_ingress(
GroupId=sg['GroupId'],
IpPermissions=[
{
'IpProtocol': 'tcp',
'FromPort': 27017,
'ToPort': 27017,
'IpRanges': [
{
'CidrIp': '10.0.0.0/8' # Replace with the necessary IP addresses or CIDR ranges
}
]
}
]
)
print(response)
Note: This is just a sample code and may need to be modified based on your specific AWS environment and requirements. It’s recommended to test the code in a non-production environment before applying it to your production environment.