id: azure-nsg-mongodb-unrestricted info: name: Unrestricted MongoDB Access in Azure NSGs author: princechaddha severity: high description: | Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted inbound access on TCP ports 27017, 27018, and 27019, used by MongoDB, to prevent unauthorized database access. impact: | Allowing unrestricted access to MongoDB ports can expose databases to risks such as unauthorized data access, data manipulation, or data theft. remediation: | Modify NSG rules to restrict access on TCP ports 27017, 27018, and 27019. Only allow known IPs and implement database encryption and other security measures. reference: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview tags: cloud,devops,azure,microsoft,nsg,azure-cloud-config flow: | code(1); for (let NsgData of iterate(template.nsgdata)) { NsgData = JSON.parse(NsgData) set("nsg", NsgData.name) set("resourcegroup", NsgData.resourceGroup) code(2) } self-contained: true code: - engine: - sh - bash source: | az network nsg list --query '[*].{name:name, resourceGroup:resourceGroup}' --output json extractors: - type: json name: nsgdata internal: true json: - '.[]' - engine: - sh - bash source: | az network nsg rule list --nsg-name $nsg --resource-group $resourcegroup --query "[?direction=='Inbound' && access=='Allow' && protocol=='TCP' && (destinationPortRange=='27017' || destinationPortRange=='27018' || destinationPortRange=='27019')]" matchers: - type: word words: - '"sourceAddressPrefix": "*"' - '"sourceAddressPrefix": "internet"' - '"sourceAddressPrefix": "any"' extractors: - type: dsl dsl: - 'nsg + " has unrestricted access on TCP ports 27017, 27018, and 27019"' # digest: 490a004630440220189c7ffba411d72c8b28f8c8b54a1e5b05099b7c61d3c9815f7ef3c7749b28f802203a11edc5354fb0ebd2744ad441f5581a4653c62725b61f64c02c7fca9b64c967:922c64590222798bb761d5b6d8e72950