More Info:

No security group should allow unrestricted ingress access to MongoDB port 27017.

Risk Level

Medium

Address

Security

Compliance Standards

CBP, HITRUST, AWSWAF, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the unrestricted MongoDB access issue in AWS, you can follow these steps:
  1. Open the AWS Management Console and navigate to the EC2 dashboard.
  2. Select the Security Groups option from the left-hand menu.
  3. Find the security group associated with the MongoDB instance that you want to restrict access to.
  4. Click on the security group to open the details page.
  5. Select the Inbound Rules tab.
  6. Locate the rule that allows unrestricted access to MongoDB (default port 27017).
  7. Click on the “Edit” button next to the rule.
  8. Change the Source field to restrict access to only the IP addresses or CIDR ranges that require access to the MongoDB instance.
  9. Click “Save” to apply the changes.
By following these steps, you have successfully remediated the unrestricted MongoDB access issue in AWS by restricting access to only authorized IP addresses or CIDR ranges.

To remediate unrestricted MongoDB access in AWS using AWS CLI, follow the below steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list all the MongoDB instances running in your AWS account:
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,Engine]' --filters "Name=engine,Values=mongodb"
  1. Identify the MongoDB instances that have unrestricted access.
  2. Run the following command to modify the security group associated with the MongoDB instance to allow access only from specific IP addresses:
aws rds modify-db-instance --db-instance-identifier <db-instance-identifier> --vpc-security-group-ids <security-group-id>
Note: Replace <db-instance-identifier> with the identifier of the MongoDB instance and <security-group-id> with the ID of the security group that allows access only from specific IP addresses. 5. Verify the changes by running the following command:
aws rds describe-db-instances --db-instance-identifier <db-instance-identifier> --query 'DBInstances[*].[DBInstanceIdentifier,VpcSecurityGroups[0].VpcSecurityGroupId]'
Note: Replace <db-instance-identifier> with the identifier of the MongoDB instance.After these steps, the MongoDB instance will only allow access from specific IP addresses.
To remediate unrestricted MongoDB access in AWS using Python, you can follow these steps:
  1. Identify the MongoDB instances running in your AWS environment.
  2. For each instance, check if the security group associated with it allows unrestricted access to the MongoDB port (default port is 27017).
  3. If the security group allows unrestricted access, update the security group to restrict access to the MongoDB port to only the necessary IP addresses or CIDR ranges.
  4. You can use the boto3 library in Python to interact with the AWS API and perform the above steps.
Here’s a sample Python code that can help you remediate the issue:
import boto3

# Initialize the AWS client
client = boto3.client('ec2')

# Get a list of all MongoDB instances
response = client.describe_instances(
    Filters=[
        {
            'Name': 'tag:Name',
            'Values': ['*mongodb*']
        }
    ]
)

# Loop through each instance and update its security group
for reservation in response['Reservations']:
    for instance in reservation['Instances']:
        for sg in instance['SecurityGroups']:
            # Check if the security group allows unrestricted access to MongoDB port
            ip_permissions = sg['IpPermissions']
            unrestricted_access = False
            for permission in ip_permissions:
                if permission['IpProtocol'] == 'tcp' and permission['FromPort'] == 27017 and permission['ToPort'] == 27017:
                    for ip_range in permission['IpRanges']:
                        if ip_range['CidrIp'] == '0.0.0.0/0':
                            unrestricted_access = True
                            break
            
            # If unrestricted access is allowed, update the security group
            if unrestricted_access:
                response = client.authorize_security_group_ingress(
                    GroupId=sg['GroupId'],
                    IpPermissions=[
                        {
                            'IpProtocol': 'tcp',
                            'FromPort': 27017,
                            'ToPort': 27017,
                            'IpRanges': [
                                {
                                    'CidrIp': '10.0.0.0/8' # Replace with the necessary IP addresses or CIDR ranges
                                }
                            ]
                        }
                    ]
                )
                print(response)
Note: This is just a sample code and may need to be modified based on your specific AWS environment and requirements. It’s recommended to test the code in a non-production environment before applying it to your production environment.

Additional Reading: