iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that AWS Security Groups do not allow unrestricted inbound access (0.0.0.0/0 for IPv4 or ::/0 for IPv6) to the Cassandra ports 7199, 9160, or 8888. These ports are commonly used for Cassandra database communication (e.g., client-to-node communication, internal cluster communication, or management access). Exposing these ports publicly allows attackers to scan and access the database, potentially leading to data breaches, unauthorized access, or exploitation of misconfigurations.

Rationale:
Cassandra is a distributed NoSQL database often used for storing sensitive application data. Exposing its management ports to the public internet increases the risk of unauthorized administrative access, data tampering, or brute-force attacks. By restricting these ports to trusted internal networks or authorized IP ranges, organizations reduce the attack surface, ensuring that only authorized users can interact with the database cluster. This helps meet security standards like CIS, SOC 2, ISO 27001, and NIST 800-53.

Impact:
Positive Impact: Reduces the risk of unauthorized access or attacks on the Cassandra database by restricting exposure to trusted IP ranges.
Negative Impact: Admins or applications outside the authorized networks may need to connect through secure means (e.g., VPN or Bastion Hosts).

Default Value:
By default, AWS Security Groups do not allow inbound access to any port unless explicitly defined.

Pre-Requisite:

• IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, ec2:AuthorizeSecurityGroupIngress.

• Identification of trusted IP ranges or networks that need access to Cassandra for legitimate use cases.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to EC2 → Security Groups.

3. Select each Security Group and open the Inbound Rules tab.

4. Check for any rules that allow inbound access on ports 7199, 9160, or 8888 from 0.0.0.0/0 or ::/0.

5. If any such rule is found, the Security Group is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to EC2 → Security Groups.

2. Select the non-compliant Security Group.

3. Click Edit inbound rules.

4. Identify and delete any rules that allow access on ports 7199, 9160, or 8888 from 0.0.0.0/0 or ::/0.

5. Add new inbound rules that restrict access to trusted IPs or VPC CIDR blocks, such as:

   • Source: Your internal VPC CIDR (e.g., 10.0.0.0/16)

   • Source: Specific IP addresses or VPN CIDR blocks

6. Click Save rules to apply the changes.

7. Verify that legitimate Cassandra connections can still occur within the allowed networks.
   
   

Backout Plan:

1. If access issues arise, temporarily re-enable access from trusted IPs for ports 7199, 9160, or 8888 while troubleshooting.

2. Implement secure access to Cassandra through a VPN, AWS Direct Connect, or Bastion Host if necessary.
   
   

References:

• Amazon EC2 Security Groups Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 4.7

• Apache Cassandra Documentation

• AWS Security Best Practices Whitepaper