Check provider logo

EC2 instance does not have Cassandra ports (TCP 7000, 7001, 7199, 9042, 9160) open to the Internet

ec2_instance_port_cassandra_exposed_to_internet

Severitycritical
Serviceec2
by Prowler
internet-exposed

EC2 instances have Cassandra service ports (7000, 7001, 7199, 9042, 9160) reachable from the Internet through security group ingress.

Public IP presence and subnet exposure are considered to assess external reachability.

Risk

Internet-exposed Cassandra enables unauthorized queries on 9042, remote management via 7199 (JMX), and tampering with inter-node channels on 7000/7001 and 9160.

Attackers can read/modify data (confidentiality, integrity), disrupt or take over the cluster (availability), and pivot within the VPC.

Run this check with Prowler CLI

prowler aws --checks ec2_instance_port_cassandra_exposed_to_internet

Run in Prowler Cloud
Fix finding with Prowler CLI

prowler aws --checks ec2_instance_port_cassandra_exposed_to_internet --fixer

Recommendation

Apply least privilege network access:

  • Remove 0.0.0.0/0 and ::/0 to Cassandra ports
  • Allow only trusted subnets or VPN/bastion
  • Keep nodes in private subnets; segment inter-node traffic
  • Enforce authentication and TLS/mTLS for clients and JMX
  • Add defense in depth with NACLs and monitoring

Remediation

CLI

aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --ip-permissions '[{"IpProtocol":"tcp","FromPort":7000,"ToPort":7000,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]},{"IpProtocol":"tcp","FromPort":7001,"ToPort":7001,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]},{"IpProtocol":"tcp","FromPort":7199,"ToPort":7199,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]},{"IpProtocol":"tcp","FromPort":9042,"ToPort":9042,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]},{"IpProtocol":"tcp","FromPort":9160,"ToPort":9160,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]]'

Native IaC
Terraform
Other
  1. Open the AWS Console > EC2 > Instances and select the instance
  2. In the Security tab, click the attached Security Group(s)
  3. Click Edit inbound rules
  4. Remove or change any rule allowing TCP 7000, 7001, 7199, 9042, or 9160 from Anywhere (0.0.0.0/0 or ::/0)
  5. If needed, re-add those ports with a specific trusted source CIDR or security group
  6. Save rules

Source Code

Resource Type

AwsEc2Instance

References