Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Instances Should Prohibit Public Access

This rule ensures that RDS DB instances do not allow public access, determined by the PubliclyAccessible configuration.

RuleRDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration
FrameworkAWS Foundational Security Best Practices
Severity
Critical

Rule Description:

The rule states that RDS DB instances should prohibit public access. This means that the PubliclyAccessible configuration should be disabled for AWS RDS instances. By doing so, it ensures that the RDS databases are not accessible from the public internet, which helps maintain the security and integrity of the data stored in the RDS instances.

Troubleshooting Steps:

If public access to an RDS instance is detected, follow the steps below to troubleshoot the issue:

  2. 1.

    Verify PubliclyAccessible setting: Check the PubliclyAccessible attribute of the RDS instance in question. Ensure that it is set to "false" to prohibit public access.

  4. 2.

    Security Group configuration: Review the associated Security Group(s) for the RDS instance. Make sure that inbound rules do not allow public IP addresses or wide-open access (0.0.0.0/0) to the RDS instance.

  6. 3.

    Network ACLs: Confirm that the Network Access Control Lists (NACLs) associated with the subnet of the RDS instance do not permit inbound connectivity from the public internet.

  8. 4.

    Route Tables: Check the route tables used by the subnet of the RDS instance. Ensure that the routes do not allow public internet access to the RDS instance's subnet.

  10. 5.

    VPC Endpoints: If applicable, verify that there are no VPC endpoints configured that might provide public access to the RDS instance.

  12. 6.

    AWS CloudTrail Logs: Review AWS CloudTrail logs for any suspicious activity related to the RDS instance. Look for unauthorized access attempts or changes in the PubliclyAccessible setting.

Remediation Steps:

To remediate the RDS instance to comply with the rule, perform the following steps:

  2. 1.

    Identify the RDS instance: Determine the specific RDS instance that is configured with public access.

  4. 2.

    Update PubliclyAccessible setting: Modify the PubliclyAccessible attribute to "false" for the identified RDS instance. This will prohibit public access to the RDS instance.

  6. 3.

    Update Security Group(s): Review the associated Security Group(s) and ensure that the inbound rules restrict access to allowed IP addresses or secure subnets only. Remove any rules that allow public internet access (0.0.0.0/0).

  8. 4.

    Review Network ACLs: Confirm that the Network Access Control Lists (NACLs) associated with the subnet of the RDS instance restrict inbound connectivity to desired sources only. Remove any rules that grant public internet access.

  10. 5.

    Update Route Tables: Modify the route tables associated with the RDS instance's subnet to prevent public internet access. Configure the routes to direct traffic only to trusted destinations.

  12. 6.

    Monitor AWS CloudTrail: Continuously monitor AWS CloudTrail logs for any unauthorized access attempts or changes related to the RDS instance's PubliclyAccessible setting. Investigate and take necessary actions if any suspicious activities are identified.

CLI Commands:

  2. 1.
    To modify the PubliclyAccessible setting for an RDS instance:
aws rds modify-db-instance --db-instance-identifier <instance-id> --no-publicly-accessible

Replace 

<instance-id>
with the identifier of the RDS instance.

  2. 1.
    To update Security Group inbound rules:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --source-security-group <source-security-group-id>

Replace 

<security-group-id>
with the ID of the Security Group, 
<port>
with the desired port number, and 
<source-security-group-id>
with the ID of the secure source Security Group.

  2. 1.
    To modify Network ACL inbound rules:
aws ec2 replace-network-acl-entry --network-acl-id <network-acl-id> --rule-number <rule-number> --protocol <protocol> --rule-action <rule-action> --cidr-block <cidr-block> --egress false

Replace 

<network-acl-id>
with the ID of the Network ACL, 
<rule-number>
with the desired rule number, 
<protocol>
with the desired protocol, 
<rule-action>
with the desired action (e.g., allow or deny), and 
<cidr-block>
with the desired CIDR block.

  2. 1.
    To modify route table entries:
aws ec2 replace-route --route-table-id <route-table-id> --destination-cidr-block <destination-cidr-block> --gateway-id <gateway-id>

Replace 

<route-table-id>
with the ID of the route table, 
<destination-cidr-block>
with the desired destination CIDR block, and 
<gateway-id>
with the ID of the intended gateway.

Note: Ensure you have the necessary IAM permissions to execute the above commands.

By following these steps and using the provided CLI commands, you can successfully prohibit public access to RDS DB instances, as recommended by the AWS Foundational Security Best Practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now