Control: VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to mongoDB ports 27017 and 27018
Description
This control checks whether the VPC security groups that are in use allow ingress from 0.0.0.0/0 or ::/0 to mongoDB ports 27017 and 27018. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 from ports 27017 and 27018.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.vpc_security_group_allows_ingress_to_mongodb_portsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.vpc_security_group_allows_ingress_to_mongodb_ports --shareSQL
This control uses a named query:
with ingress_ssh_rules as ( select group_id, count(*) as num_ssh_rules from aws_vpc_security_group_rule where type = 'ingress' and cidr_ipv4 = '0.0.0.0/0' and ( ( ip_protocol = '-1' and from_port is null ) or ( from_port <= 27017 and to_port >= 27017 ) or ( from_port <= 27018 and to_port >= 27018 ) ) group by group_id)select arn as resource, case when ingress_ssh_rules.group_id is null then 'ok' else 'alarm' end as status, case when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for mongodb ports from 0.0.0.0/0.' else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for mongodb ports from 0.0.0.0/0.' end as reason , sg.region, sg.account_idfrom aws_vpc_security_group as sg left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id;