Security Group Allows Internet Access to Cassandra Ports
Overview
This check identifies AWS security groups that allow unrestricted inbound access from the internet (0.0.0.0/0 or ::/0) to Apache Cassandra database ports. Cassandra uses several ports for different purposes:
- Port 7199 - JMX (Java Management Extensions) monitoring
- Port 9160 - Thrift client connections (legacy)
- Port 8888 - OpsCenter web interface
Security groups act as virtual firewalls for your AWS resources. Allowing internet access to database ports exposes your Cassandra clusters to anyone on the internet.
Risk
Exposing Cassandra ports to the internet creates serious security vulnerabilities:
- Data breach: Attackers can connect directly to your database and steal sensitive data
- Unauthorized access: JMX port exposure allows attackers to execute arbitrary code and manage your cluster
- Ransomware attacks: Attackers can encrypt or delete your data and demand payment
- Service disruption: Denial-of-service attacks can overwhelm your database
- Lateral movement: Compromised databases can be used to attack other resources in your network
Cassandra databases should only be accessible from trusted networks, such as your application servers within the same VPC.
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to modify security groups
- Knowledge of which IP addresses or security groups legitimately need Cassandra access
Required IAM permissions (for administrators)
Your IAM user or role needs these permissions:
ec2:DescribeSecurityGroupsec2:DescribeSecurityGroupRulesec2:RevokeSecurityGroupIngressec2:AuthorizeSecurityGroupIngress
AWS Console Method
Step 1: Identify the Problem Security Groups
- Go to the EC2 Console in us-east-1
- Click Security Groups in the left sidebar under "Network & Security"
- For each security group, click on it and review the Inbound rules tab
- Look for rules that have:
- Source of
0.0.0.0/0or::/0 - Port range containing
7199,9160, or8888
- Source of
Step 2: Remove the Dangerous Rules
- Select the security group with the problematic rule
- Click the Inbound rules tab
- Click Edit inbound rules
- Find the rule allowing internet access to Cassandra ports
- Click Delete (the X button) next to that rule
- Click Save rules
Step 3: Add Restricted Access (if needed)
If legitimate services need Cassandra access, add rules with restricted sources:
- Click Edit inbound rules
- Click Add rule
- Configure the rule:
- Type: Custom TCP
- Port range: Enter the specific port (7199, 9160, or 8888)
- Source: Select one of these safer options:
- A specific CIDR block (e.g.,
10.0.0.0/16for your VPC) - Another security group (e.g., your application server security group)
- A specific CIDR block (e.g.,
- Add a Description explaining the purpose
- Click Save rules
AWS CLI (optional)
Find Security Groups with Open Cassandra Ports
Check for security groups allowing internet access to port 7199:
aws ec2 describe-security-groups \
--filters Name=ip-permission.from-port,Values=7199 \
Name=ip-permission.to-port,Values=7199 \
Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query "SecurityGroups[*].[GroupId,GroupName]" \
--output table \
--region us-east-1
Repeat for ports 9160 and 8888:
aws ec2 describe-security-groups \
--filters Name=ip-permission.from-port,Values=9160 \
Name=ip-permission.to-port,Values=9160 \
Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query "SecurityGroups[*].[GroupId,GroupName]" \
--output table \
--region us-east-1
aws ec2 describe-security-groups \
--filters Name=ip-permission.from-port,Values=8888 \
Name=ip-permission.to-port,Values=8888 \
Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query "SecurityGroups[*].[GroupId,GroupName]" \
--output table \
--region us-east-1
Remove the Dangerous Rules
Remove internet access to port 7199:
aws ec2 revoke-security-group-ingress \
--group-id <your-security-group-id> \
--protocol tcp \
--port 7199 \
--cidr 0.0.0.0/0 \
--region us-east-1
Remove internet access to port 9160:
aws ec2 revoke-security-group-ingress \
--group-id <your-security-group-id> \
--protocol tcp \
--port 9160 \
--cidr 0.0.0.0/0 \
--region us-east-1
Remove internet access to port 8888:
aws ec2 revoke-security-group-ingress \
--group-id <your-security-group-id> \
--protocol tcp \
--port 8888 \
--cidr 0.0.0.0/0 \
--region us-east-1
For IPv6 rules, use ::/0 instead of 0.0.0.0/0.
Add Restricted Access (if needed)
Allow access only from your VPC CIDR:
aws ec2 authorize-security-group-ingress \
--group-id <your-security-group-id> \
--protocol tcp \
--port 7199 \
--cidr 10.0.0.0/16 \
--region us-east-1
Or allow access from a specific security group:
aws ec2 authorize-security-group-ingress \
--group-id <your-security-group-id> \
--protocol tcp \
--port 7199 \
--source-group <app-server-security-group-id> \
--region us-east-1
CloudFormation (optional)
This template creates a security group with properly restricted Cassandra access:
AWSTemplateFormatVersion: '2010-09-09'
Description: Security group for Cassandra with restricted access
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Description: VPC where the security group will be created
AllowedCidr:
Type: String
Description: CIDR block allowed to access Cassandra (e.g., your VPC CIDR)
Default: 10.0.0.0/16
AllowedPattern: ^(\d{1,3}\.){3}\d{1,3}/\d{1,2}$
Resources:
CassandraSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: cassandra-restricted-access
GroupDescription: Security group for Cassandra with restricted access - no internet exposure
VpcId: !Ref VpcId
SecurityGroupIngress:
# JMX monitoring port - internal only
- IpProtocol: tcp
FromPort: 7199
ToPort: 7199
CidrIp: !Ref AllowedCidr
Description: JMX monitoring from internal network only
# Thrift client port - internal only
- IpProtocol: tcp
FromPort: 9160
ToPort: 9160
CidrIp: !Ref AllowedCidr
Description: Thrift client connections from internal network only
# OpsCenter web interface - internal only
- IpProtocol: tcp
FromPort: 8888
ToPort: 8888
CidrIp: !Ref AllowedCidr
Description: OpsCenter web UI from internal network only
# Native CQL port - internal only
- IpProtocol: tcp
FromPort: 9042
ToPort: 9042
CidrIp: !Ref AllowedCidr
Description: CQL native protocol from internal network only
# Inter-node communication - internal only
- IpProtocol: tcp
FromPort: 7000
ToPort: 7001
CidrIp: !Ref AllowedCidr
Description: Inter-node communication from internal network only
Tags:
- Key: Name
Value: cassandra-restricted-access
- Key: Purpose
Value: Cassandra database access - no internet exposure
Outputs:
SecurityGroupId:
Description: ID of the Cassandra security group
Value: !Ref CassandraSecurityGroup
Export:
Name: CassandraSecurityGroupId
Deploy with:
aws cloudformation deploy \
--template-file cassandra-security-group.yaml \
--stack-name cassandra-security-group \
--parameter-overrides \
VpcId=vpc-xxxxxxxxx \
AllowedCidr=10.0.0.0/16 \
--region us-east-1
Terraform (optional)
variable "vpc_id" {
description = "VPC where the security group will be created"
type = string
}
variable "allowed_cidr" {
description = "CIDR block allowed to access Cassandra (e.g., your VPC CIDR)"
type = string
default = "10.0.0.0/16"
}
resource "aws_security_group" "cassandra" {
name = "cassandra-restricted-access"
description = "Security group for Cassandra with restricted access - no internet exposure"
vpc_id = var.vpc_id
# JMX monitoring port - internal only
ingress {
description = "JMX monitoring from internal network only"
from_port = 7199
to_port = 7199
protocol = "tcp"
cidr_blocks = [var.allowed_cidr]
}
# Thrift client port - internal only
ingress {
description = "Thrift client connections from internal network only"
from_port = 9160
to_port = 9160
protocol = "tcp"
cidr_blocks = [var.allowed_cidr]
}
# OpsCenter web interface - internal only
ingress {
description = "OpsCenter web UI from internal network only"
from_port = 8888
to_port = 8888
protocol = "tcp"
cidr_blocks = [var.allowed_cidr]
}
# Native CQL port - internal only
ingress {
description = "CQL native protocol from internal network only"
from_port = 9042
to_port = 9042
protocol = "tcp"
cidr_blocks = [var.allowed_cidr]
}
# Inter-node communication - internal only
ingress {
description = "Inter-node communication from internal network only"
from_port = 7000
to_port = 7001
protocol = "tcp"
cidr_blocks = [var.allowed_cidr]
}
# Allow all outbound traffic
egress {
description = "Allow all outbound traffic"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "cassandra-restricted-access"
Purpose = "Cassandra database access - no internet exposure"
}
}
output "security_group_id" {
description = "ID of the Cassandra security group"
value = aws_security_group.cassandra.id
}
Deploy with:
terraform init
terraform plan -var="vpc_id=vpc-xxxxxxxxx" -var="allowed_cidr=10.0.0.0/16"
terraform apply -var="vpc_id=vpc-xxxxxxxxx" -var="allowed_cidr=10.0.0.0/16"
Verification
After making changes, verify the security group no longer allows internet access to Cassandra ports:
- Go to the EC2 Console in us-east-1
- Click Security Groups in the left sidebar
- Select the security group you modified
- Click the Inbound rules tab
- Verify there are no rules with:
- Source
0.0.0.0/0or::/0 - Port range containing
7199,9160, or8888
- Source
CLI verification commands
Verify no security groups allow internet access to Cassandra ports:
# Check port 7199
aws ec2 describe-security-groups \
--filters Name=ip-permission.from-port,Values=7199 \
Name=ip-permission.to-port,Values=7199 \
Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query "SecurityGroups[*].GroupId" \
--output text \
--region us-east-1
# Check port 9160
aws ec2 describe-security-groups \
--filters Name=ip-permission.from-port,Values=9160 \
Name=ip-permission.to-port,Values=9160 \
Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query "SecurityGroups[*].GroupId" \
--output text \
--region us-east-1
# Check port 8888
aws ec2 describe-security-groups \
--filters Name=ip-permission.from-port,Values=8888 \
Name=ip-permission.to-port,Values=8888 \
Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query "SecurityGroups[*].GroupId" \
--output text \
--region us-east-1
Empty output means no security groups have internet-exposed Cassandra ports.
Run Prowler to confirm the check passes:
prowler aws -c ec2_securitygroup_allow_ingress_from_internet_to_cassandra_ports --region us-east-1
Additional Resources
- AWS Security Groups Documentation
- AWS CLI: revoke-security-group-ingress
- Apache Cassandra Security Documentation
- DataStax: Configuring Firewall Port Access for Cassandra
- Prowler Documentation
Notes
-
Service interruption warning: Before removing security group rules, ensure you understand which services rely on them. Removing rules may break legitimate connections. Test changes in a non-production environment first.
-
Cassandra ports overview:
- 7199 - JMX monitoring (especially dangerous - allows remote code execution)
- 9160 - Thrift client protocol (legacy, consider disabling if not used)
- 8888 - OpsCenter web interface
- 9042 - Native CQL protocol (not covered by this check but should also be restricted)
- 7000/7001 - Inter-node cluster communication
-
Alternative access methods: If you need remote access to Cassandra for administration:
- Use AWS Systems Manager Session Manager to connect to instances
- Set up a VPN or AWS Direct Connect
- Use a bastion host within your VPC
- Consider AWS PrivateLink for service-to-service communication
-
IPv6 considerations: This check also flags
::/0(IPv6 any address). Apply the same remediation for IPv6 rules. -
Compliance frameworks: This check relates to several compliance requirements:
- CIS AWS Foundations Benchmark
- PCI DSS (network segmentation requirements)
- SOC 2 (access control requirements)
- NIST 800-53 (SC-7 Boundary Protection)