Skip to main content

More Info:

Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019.

Risk Level

High

Address

Security

Compliance Standards

HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

  • Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate unrestricted MongoDB access in Azure:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Navigate to the “Azure Cosmos DB” service from the dashboard.
  3. Select the database account that has the unrestricted MongoDB access.
  4. Click on the “Firewalls and virtual networks” option from the left-hand side menu.
  5. Under the “Firewalls and virtual networks” tab, select “Selected networks” and then click on the “Add my IP” button.
  6. This will add your current IP address to the allowed list of IP addresses that can access the database.
  7. If you want to allow access from other IP addresses, you can add them by clicking on the “Add IP range” button.
  8. Once you have added the required IP addresses, click on the “Save” button to save the changes.
  9. After saving the changes, you can verify that the unrestricted MongoDB access has been remediated by attempting to access the database from an IP address that is not on the allowed list. You should receive an error message indicating that access is denied.
That’s it! By following these steps, you have successfully remediated the unrestricted MongoDB access in Azure.

To remediate Unrestricted MongoDB Access in Azure using Azure CLI, you can follow the below steps:
  1. Open the Azure CLI on your local machine or use the Azure Cloud Shell.
  2. Run the following command to list all the MongoDB accounts in your Azure subscription: 
    az mongodb list --output table
  3. Identify the MongoDB account that has unrestricted access.
  4. Run the following command to update the MongoDB account to restrict access: 
    az mongodb update --resource-group <resource-group-name> --name <mongodb-account-name> --public-network-access Disabled
    Replace <resource-group-name> with the name of the resource group in which the MongoDB account is located and <mongodb-account-name> with the name of the MongoDB account that you want to update.
  5. After running the above command, the MongoDB account will be updated to restrict access and will only be accessible from within the virtual network or via a private endpoint.
By following the above steps, you can remediate the Unrestricted MongoDB Access misconfiguration in Azure using Azure CLI.
To remediate the Unrestricted MongoDB Access misconfiguration in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using pip command:
pip install azure
Step 2: Use the below Python code to remediate the misconfiguration:
from azure.mgmt.network import NetworkManagementClient
from azure.common.credentials import ServicePrincipalCredentials

# Replace the values with your actual subscription ID, client ID, secret key and tenant ID
subscription_id = 'your-subscription-id'
client_id = 'your-client-id'
secret = 'your-secret'
tenant = 'your-tenant-id'

credentials = ServicePrincipalCredentials(
    client_id=client_id,
    secret=secret,
    tenant=tenant
)

network_client = NetworkManagementClient(credentials, subscription_id)

# Replace the values with your actual resource group and network security group names
resource_group_name = 'your-resource-group-name'
nsg_name = 'your-nsg-name'

# Get the existing NSG rules
nsg = network_client.network_security_groups.get(resource_group_name, nsg_name)

# Remove the existing rule that allows unrestricted MongoDB access
for rule in nsg.security_rules:
    if rule.destination_port_range == '27017' and rule.destination_address_prefix == '*':
        nsg.security_rules.remove(rule)

# Create a new rule that allows MongoDB access only from specific IP addresses
from azure.mgmt.network.v2019_11_01.models import SecurityRule, SecurityRuleProtocol

rule_name = 'mongodb-access'
new_rule = SecurityRule(
    name=rule_name,
    protocol=SecurityRuleProtocol.tcp,
    source_address_prefix='your-ip-address',
    destination_address_prefix='*',
    destination_port_range='27017',
    access='Allow',
    direction='Inbound',
    priority=1000
)

nsg.security_rules.append(new_rule)

# Update the NSG with the new rule
network_client.network_security_groups.create_or_update(resource_group_name, nsg_name, nsg)
In the above code, replace the placeholders your-subscription-id, your-client-id, your-secret, your-tenant-id, your-resource-group-name, your-nsg-name and your-ip-address with your actual values.This code will remove the existing rule that allows unrestricted MongoDB access and create a new rule that allows access only from specific IP addresses.