Description: 

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to MongoDB ports 27017 and 27018.

MongoDB Database services used TCP ports 27017 and 27018, It is a free open-source cross-platform document-oriented NoSQL database. We recommend all MongoDBs should be protected with an access control mechanism to prevent data theft and data loss.

If restricted ingress access to MongoDB (27017 and 27018) means we do not allow to access my database.


Rationale: 

Removing unfettered connectivity to remote console services, and nobody will access my internal database server, reduces a database server’s exposure to risk. Ensure no security groups allow ingress from 0.0.0.0/0 or::/0 to MongoDB ports 27017 and 27018.


Impact: 

In your security group policy is allowing unrestricted inbound/ingress access on port 27017 MongoDB Database access can increase opportunities for malicious activity such as hacking, denial-of-service(DoS) attacks and loss of data.

The associated security groups should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have not to access Mongo through another security group. 


Default Value:

The default port for MongoDB is: 

  1. 27017 is the default port for MongoDB and Mongos instances.

  2. 27018 is the default port for MongoDB when running with --shardsvr command-line option or the shardsvr value for ClusterRole setting in a configuration file.

  3. 27019 is the default port for MongoDB when running with --configsvr command-line option or the configsvr value for the Clusterrole setting in a configuration file.

The default value in the Security Group

Inbound

Type

Protocol

Port Range

Source

Description

All traffic

All

All

Security Group ID
(e.g.:- sg-dedc3c97 / default)

For the associated instances, inbound traffic allows network interfaces that are assigned to the same security group.

Audit:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

  3. Click on Security Groups, under NETWORK & SECURITY section, in the left navigation pane

  4. Verify the value in the Source column for any inbound rules with the Port Range set to 27017 have the source set to 0.0.0.0/0 or ::/0 (Anywhere), then the selected security group allows unrestricted data traffic on port 27017.


Via CLI:

The following command describes a security group the command you can use for each security groups individual to check which IP or ports inbound or outbound

aws ec2 describe-security-groups --region us-east-1 \
--filters Name=ip-permission.from-port,Values=27017 \ 
Name=ip-permission.to-port,Values=27017 Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query 'SecurityGroups[*].{Name:GroupName}'


Remediation:

Pre-Requisite:

  1. Before starting the below implementation steps note down all configurations which IP and which port in the inbound.

  2. Avoid the login through the Root user.

  3. Only authorized persons (i.e, admins) can access the Security Groups.

  4. You cannot delete the default security groups but you can edit and modify them but here you can create security groups and create your own rules in them.

  5. Do not attach the default security group to any EC2 instance.

  6. When you use MongoDB (port - 27017) and want to prevent the MongoDB server then you follow the below implementation steps.


Implementation Steps:

Step 1: Sign in to the AWS Management Console.

Step 2: Go to EC2 dashboard at https://console.aws.amazon.com/ec2/.

Step 3: Click on Security Groups, under NETWORK & SECURITY section, in the left navigation pane

Step 4: Select the appropriate security group (see Audit section to identify the right one(s)).

Step 5: Select the Inbound tab and click the Edit inbound rules button.

Step 6: In the Edit inbound rules dialog box, go to source column and perform one of the following actions to restrict the inbound traffic: Click on source dropdown

  1. Select My IP to allow inbound traffic only from your machine (i.e, from your IP address only).

  2. Select Custom and enter IP addresses or name or ID of another security group based on your access requirements

Backout Plan:

If you want to proceed with previous settings go through the Implementation steps section and set all previous policies that you have written somewhere.

 

Or else you can delete the security group you created

Step 1: Sign in to the AWS Management Console.

Step 2: Go to EC2 dashboard at https://console.aws.amazon.com/ec2/.

Step 3: Click on Security Groups, under NETWORK & SECURITY section, in the left navigation pane

Step 4: Open the security group by clicking on security group ID

Step 5: Click on Actions dropdown and select Delete Security groups


Via CLI:

The following command is used to delete created security group id in the security_group_id enter the security group id which you show on your console.

aws ec2 delete-security-group --group-id <security_group_id>


Reference:

  1. revoke-security-group-ingress — AWS CLI 1.19.111 Command Reference

  2. get-instance-port-states — AWS CLI 1.19.111 Command Reference

  3. describe-security-groups — AWS CLI 1.19.107 Command Reference

  4. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules 

  5. Security - MongoDB on AWS