Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures that RDS snapshots do not have public access enabled.
| Rule | RDS snapshots should prohibit public access |
| Framework | AWS Audit Manager Control Tower Guardrails |
| Severity | ✔ Critical |
RDS Snapshots Should Prohibit Public Access for AWS Audit Manager Control Tower Guardrails
AWS Audit Manager is a service that helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. Control Tower is a service that offers the easiest way to set up and govern a secure, multi-account AWS environment. One of the security best practices recommended by AWS is ensuring that Amazon Relational Database Service (RDS) snapshots are not publicly accessible, which can be enforced through Control Tower Guardrails.
Rule Description
This rule stipulates that RDS snapshots must be configured to prevent public access. RDS snapshots contain backups of your databases, and if made publicly available, anyone on the internet can potentially access your sensitive data. To safeguard your information, it's essential to ensure that the snapshots are only accessible by authorized personnel within your organization.
Troubleshooting Steps
If an RDS snapshot is found to be publicly accessible, you will need to update the permissions to restrict access. The detailed troubleshooting steps are as follows:
- 1.
Identify the Publicly Accessible Snapshot:
- Use the AWS Management Console or execute an AWS CLI command to list all the RDS snapshots and their attributes, looking specifically for the
attribute.public
- 2.
Modify Snapshot Permissions:
- Change the permissions of the snapshot to remove public access. You can do this through the AWS Management Console or by using the AWS CLI.
- 3.
Validate Compliance:
- Once you've modified the snapshot permissions, verify that no snapshots are publicly accessible.
Necessary Codes
To check and modify RDS snapshot permissions, you can use the AWS Command Line Interface (CLI):
Step 1: List All RDS Snapshots and Check Public Accessibility
aws rds describe-db-snapshots --query "DBSnapshots[?Public == `true`]"
This command lists all RDS snapshots that are currently set to public.
Step 2: Modify Snapshot Permissions to Remove Public Access
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <YOUR_SNAPSHOT_IDENTIFIER> --attribute-name restore --values-to-remove all
Replace
<YOUR_SNAPSHOT_IDENTIFIER>Step 3: Validate That No Snapshots Are Publicly Accessible
aws rds describe-db-snapshots --query "DBSnapshots[?Public == `true`]" --region <YOUR_REGION>
Replace
<YOUR_REGION>Step by Step Guide for Remediation
- 1.
Log into the AWS Management Console: Navigate to the RDS service dashboard.
- 2.
Select the RDS Snapshot: Locate the snapshot that is publicly accessible under the "Snapshots" section.
- 3.
Modify Snapshot Permissions:
- Click on the snapshot to view its details.
- Look for the "Snapshot Actions" button, and select "Modify Snapshot Permissions" from the dropdown menu.
- Remove any public access settings, ensuring the "Publicly Accessible" option is set to "No" or removing any IAM roles or accounts that should not have access.
- Confirm the changes to permissions.
- 4.
Verify the Update: Double-check the snapshot permissions to ensure that public access has been effectively removed.
By strictly following these guidelines and regularly auditing your RDS snapshots for public accessibility, you can enhance the security posture of your AWS environment and reinforce compliance with AWS best practices.