Skip to main content

Ensure No EC2 Instances Allow Ingress from the Internet to MongoDB Ports

Overview

This check identifies EC2 instances with security groups that allow inbound traffic from the internet (0.0.0.0/0 or ::/0) on TCP ports 27017 or 27018, which are used by MongoDB databases.

MongoDB should never be directly accessible from the internet. Exposing database ports publicly is one of the most common causes of data breaches.

Risk

If MongoDB ports are open to the internet, attackers can:

  • Steal your data - Unauthorized users can connect and extract sensitive information
  • Delete or modify data - Attackers may tamper with or destroy your database contents
  • Install ransomware - Criminals commonly encrypt exposed databases and demand payment
  • Use your server as a foothold - A compromised database server can be used to attack other systems in your network

This is a critical severity finding because MongoDB has historically been a frequent target of automated attacks scanning for exposed instances.

Remediation Steps

Prerequisites

You need permission to modify EC2 security groups in your AWS account. This typically requires the ec2:RevokeSecurityGroupIngress and ec2:AuthorizeSecurityGroupIngress permissions.

AWS Console Method

  1. Sign in to the AWS Console and go to EC2
  2. In the left sidebar, click Security Groups (under Network & Security)
  3. Find the security group attached to the flagged EC2 instance
  4. Select the security group and click the Inbound rules tab
  5. Click Edit inbound rules
  6. Locate any rule that:
    • Has Port range of 27017 or 27018
    • Has Source of 0.0.0.0/0 or ::/0
  7. Click Delete next to each offending rule
  8. If you need MongoDB access from specific locations, click Add rule and enter:
    • Type: Custom TCP
    • Port range: 27017-27018
    • Source: Your specific IP or CIDR (e.g., 10.0.0.0/8 for internal traffic)
  9. Click Save rules
AWS CLI (optional)

First, identify security groups with exposed MongoDB ports:

aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=27017" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query "SecurityGroups[*].[GroupId,GroupName]" \
  --output table

Remove the rule allowing public access (replace <SECURITY_GROUP_ID> with your security group ID):

# Remove IPv4 public access to port 27017
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 27017 \
  --cidr 0.0.0.0/0

# Remove IPv4 public access to port 27018
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 27018 \
  --cidr 0.0.0.0/0

# Remove IPv6 public access (if applicable)
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --ip-permissions IpProtocol=tcp,FromPort=27017,ToPort=27017,Ipv6Ranges='[{CidrIpv6=::/0}]'

If you need to allow access from a trusted network, add a restricted rule:

aws ec2 authorize-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 27017-27018 \
  --cidr 10.0.0.0/8
CloudFormation (optional)

Use this template to create a security group with properly restricted MongoDB access:

AWSTemplateFormatVersion: '2010-09-09'
Description: Security group with restricted MongoDB access (ports 27017-27018)

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC where the security group will be created

  TrustedCidr:
    Type: String
    Description: Trusted CIDR block for MongoDB access
    Default: 10.0.0.0/8
    AllowedPattern: ^(\d{1,3}\.){3}\d{1,3}/\d{1,2}$

Resources:
  MongoDBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group with restricted MongoDB access
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 27017
          ToPort: 27018
          CidrIp: !Ref TrustedCidr
          Description: MongoDB access from trusted network only
      Tags:
        - Key: Name
          Value: mongodb-restricted-sg

Outputs:
  SecurityGroupId:
    Description: ID of the created security group
    Value: !Ref MongoDBSecurityGroup

Deploy with:

aws cloudformation deploy \
  --region us-east-1 \
  --template-file mongodb-sg.yaml \
  --stack-name mongodb-security-group \
  --parameter-overrides VpcId=<YOUR_VPC_ID> TrustedCidr=10.0.0.0/8
Terraform (optional)
variable "vpc_id" {
  description = "VPC ID where the security group will be created"
  type        = string
}

variable "trusted_cidr_blocks" {
  description = "List of trusted CIDR blocks for MongoDB access"
  type        = list(string)
  default     = ["10.0.0.0/8"]
}

resource "aws_security_group" "mongodb" {
  name        = "mongodb-restricted-sg"
  description = "Security group with restricted MongoDB access"
  vpc_id      = var.vpc_id

  tags = {
    Name = "mongodb-restricted-sg"
  }
}

resource "aws_security_group_rule" "mongodb_ingress" {
  type              = "ingress"
  from_port         = 27017
  to_port           = 27018
  protocol          = "tcp"
  cidr_blocks       = var.trusted_cidr_blocks
  security_group_id = aws_security_group.mongodb.id
  description       = "MongoDB access from trusted networks only"
}

output "security_group_id" {
  description = "ID of the MongoDB security group"
  value       = aws_security_group.mongodb.id
}

Verification

After making changes, verify the fix:

  1. Return to EC2 > Security Groups in the AWS Console
  2. Select the modified security group
  3. Check the Inbound rules tab
  4. Confirm there are no rules allowing ports 27017 or 27018 from 0.0.0.0/0 or ::/0
CLI verification
# Check for any remaining public MongoDB rules
aws ec2 describe-security-groups \
  --region us-east-1 \
  --group-ids <SECURITY_GROUP_ID> \
  --query "SecurityGroups[*].IpPermissions[?FromPort==\`27017\` || FromPort==\`27018\`]" \
  --output json

The output should show no rules with 0.0.0.0/0 or ::/0 in the CidrIp or CidrIpv6 fields.

Additional Resources

Notes

  • Consider using private subnets: The most secure approach is to place MongoDB instances in private subnets with no public IP addresses. Access can then be provided through a bastion host, VPN, or AWS PrivateLink.

  • Enable MongoDB authentication: Even with network restrictions, always enable authentication on your MongoDB instances. Never run MongoDB without a password.

  • Use TLS encryption: Configure MongoDB to require TLS for all connections to protect data in transit.

  • Check all security groups: An EC2 instance can have multiple security groups attached. Verify all associated security groups have been remediated.

  • Compliance frameworks: This check is relevant to C5, ISO27001, KISA-ISMS-P, NIS2, and SOC2 compliance requirements.