Profile Applicability:

  • Level 1

Description:

This control ensures that AWS Security Groups do not allow unrestricted inbound access (0.0.0.0/0 for IPv4 or ::/0 for IPv6) to TCP ports 27017 and 27018, which are the default MongoDB database ports. Allowing public access to these ports exposes the database to unauthorized users and attackers on the internet, leading to potential data breaches, privilege escalation, or denial-of-service attacks.

Rationale:

MongoDB databases often contain sensitive business, customer, or application data. When these ports are open to the internet, attackers can directly connect to and query the database without authentication or encryption, especially if misconfigured. Restricting MongoDB access to trusted internal networks, private subnets, or VPN connections mitigates the risk of exploitation and aligns with CIS, SOC 2, ISO 27001, and HIPAA requirements for secure data handling and access control. 

Impact:

  • Positive Impact: Improves database security by ensuring that only authorized networks or instances can communicate with MongoDB, reducing the risk of data exposure or compromise.
    Negative Impact: Legitimate users outside of allowed networks must connect through secure alternatives like VPNs, bastion hosts, or private VPC peering.


Default Value:

By default, new Security Groups deny all inbound traffic until specific rules are added. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, and ec2:AuthorizeSecurityGroupIngress.
  • Knowledge of trusted private IP ranges or application servers that require MongoDB access.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to EC2 → Security Groups.
  3. For each Security Group, open the Inbound Rules tab.
  4. Look for rules with the following criteria:
    • Protocol: TCP

    • Port Range: 27017–27018 (or custom rules for either port)

    • Source: 0.0.0.0/0 or ::/0

  5. If any such rule exists, the Security Group is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Select the non-compliant Security Group.

  3. Go to the Inbound Rules tab and click Edit inbound rules.

  4. Identify and remove any rule that allows TCP 27017–27018 from 0.0.0.0/0 or ::/0.

  5. Add more restrictive rules to limit access to trusted networks only, such as:

    • Source: Your VPC CIDR (e.g., 10.0.0.0/16)

    • Source: Specific subnet CIDR (e.g., 10.0.1.0/24)

    • Source: Application server IP (e.g., 10.0.2.15/32)

  6. Click Save rules to apply changes.

  7. Verify that MongoDB remains accessible from trusted sources.

Backout Plan:

Using AWS Console:

  1. If legitimate applications lose connectivity after rule updates, temporarily re-add access from specific IP addresses while investigating the issue.
  2. Use VPC Peering, AWS PrivateLink, or a Bastion Host for controlled MongoDB access instead of exposing it to the public internet.

References:

  • Amazon EBS Snapshot Encryption Documentation

  • AWS KMS Best Practices

  • AWS Security Best Practices Whitepaper