VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888

Cassandra's JMX port (7199) exposes cluster management operations including compaction, repair, and nodetool commands to anyone who can reach it. The Thrift port (9160) and OpsCenter port (8888) provide direct data and administrative access. Any of these open to 0.0.0.0/0 is an invitation for data exfiltration, denial-of-service, or full cluster compromise.

Scope ingress to the CIDR ranges of your application servers or bastion hosts. If remote access is needed, AWS Systems Manager Session Manager or a VPN is the right answer, not an open database port.

Retrofit consideration

Existing security groups with broad ingress rules may be actively used by Cassandra clusters. Tightening CIDR ranges without coordinating with application owners can break inter-node gossip or client connectivity. Audit active connections with VPC Flow Logs before modifying rules.

Implementation

Choose the approach that matches how you manage Terraform.

Open source moduleTerraform resources

If you use terraform-aws-modules/ec2-instance/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
  version = ">=6.0.0"

  ami_ssm_parameter = "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-arm64"
  instance_type     = "t4g.nano"
  subnet_id         = "subnet-abc123"
}

Use AWS provider resources directly. See docs for the resources involved: aws_vpc_security_group_ingress_rule.

resource "aws_vpc_security_group_ingress_rule" "this" {
  cidr_ipv4         = "0.0.0.0/0"
  from_port         = 443
  ip_protocol       = "tcp"
  security_group_id = "sg-abc12345"
  to_port           = 443
}

What this control checks

The control flags any aws_vpc_security_group_ingress_rule resource (or legacy aws_security_group_rule with type = "ingress") that permits traffic from cidr_ipv4 = "0.0.0.0/0" or cidr_ipv6 = "::/0" where from_port and to_port include 7199, 9160, or 8888. To pass, either omit rules for those ports entirely or scope the CIDR blocks to specific private ranges (e.g., 10.0.0.0/8 or your VPC CIDR). Wide port ranges that span any of these ports (for example, from_port = 7000, to_port = 9200 with cidr_ipv4 = "0.0.0.0/0") also fail. Each Cassandra port should have a narrowly scoped ingress rule referencing only authorized client CIDRs or a referenced_security_group_id for peer security groups.

Common pitfalls

Wide port ranges silently include Cassandra ports
A rule like from_port = 0, to_port = 65535 with cidr_ipv4 = "0.0.0.0/0" will fail this control even if the intent was general connectivity. Audit all security group rules for broad port ranges, not just rules explicitly targeting 7199, 9160, or 8888.
Inline ingress blocks in aws_security_group
The ingress {} inline block inside aws_security_group still works but makes it harder to audit individual port rules. Standalone aws_vpc_security_group_ingress_rule resources give each rule its own addressable identity, which makes policy-as-code checks cleaner and easier to trace in state.
IPv6 rules evaluated separately
A group can pass the IPv4 check (no 0.0.0.0/0) and still fail on IPv6 (cidr_ipv6 = "::/0"). Both address families need to be restricted. If you don't use IPv6, don't create any ::/0 rules at all rather than assuming they're harmless.
Security group referenced by multiple resources
Tightening a shared security group affects all attached ENIs, not just Cassandra nodes. Run aws ec2 describe-network-interfaces --filters Name=group-id,Values=sg-xxx before narrowing CIDR blocks to see what else would be affected.

Audit evidence

Auditors expect Terraform plan/state reviews or scanner output (Prowler, Steampipe) confirming no security group permits 0.0.0.0/0 or ::/0 ingress to ports 7199, 9160, or 8888. VPC Flow Logs filtered to those destination ports demonstrate that no internet-sourced traffic is reaching Cassandra instances. Console screenshots from the EC2 Security Groups page showing restricted CIDR blocks on each relevant group round out the evidence package.

For continuous compliance, custom AWS Config rules or Security Hub controls can track this requirement over time and retain an audit trail of evaluation history, including timestamps of any temporary non-compliance and the remediation that followed.

Framework-specific interpretation

Redshift clusters should have enhanced VPC routing enabled

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: vpc_security_group_allows_ingress_to_cassandra_ports
Powerpipe Control: aws_compliance.control.vpc_security_group_allows_ingress_to_cassandra_ports
Prowler Checks: ec2_instance_port_cassandra_exposed_to_internet, ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888

Last reviewed: 2026-03-09