Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures that RDS snapshots do not have public access to maintain data security.
| Rule | RDS snapshots should prohibit public access |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
Rule Description: RDS Snapshots should prohibit public access for CISA Cyber Essentials.
Description:
RDS (Relational Database Service) is a managed database service provided by Amazon Web Services (AWS) that allows users to set up, operate, and scale a relational database in the cloud. RDS Snapshots are backups of your RDS databases that can be used for restoring data or creating new databases.
To comply with the CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials requirements, it is crucial to ensure that RDS snapshots do not have public access. Allowing public access to RDS snapshots increases the risk of unauthorized access to sensitive data or potential compromise of the database.
Troubleshooting Steps:
- 1.
Check RDS Snapshots:
- Identify the RDS snapshots associated with your databases.
- Verify their accessibility and permissions.
- 2.
Verify Public Access Permissions:
- Check if there are any snapshots with public access enabled.
- Determine if the snapshot is publicly accessible or restricted to specific IP addresses.
- 3.
Validate Security Group Settings:
- Ensure that the security groups associated with the RDS snapshots do not allow inbound traffic from any IP address (0.0.0.0/0) or have overly permissive rules.
- Double-check the inbound rules associated with these security groups.
- 4.
Review Network ACLs:
- Validate that the network access control lists (ACLs) associated with the RDS snapshots are not configured to allow public access.
- Ensure that the ACL rules are appropriately restricted.
Necessary Codes:
The necessary codes depend on the existing configurations and the desired changes. However, the following example shows how to update the snapshot permissions using the AWS Command Line Interface (CLI):
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-identifier> --attribute-name restore --values-to-add all --values-to-remove public
This command modifies the attribute of the specified RDS snapshot and removes public access while allowing access to all AWS accounts within the same region.
Remediation Steps:
- 1.
Identify and Validate RDS Snapshots:
- Review and identify the RDS snapshots that need remediation.
- Ensure you have the necessary permissions to modify RDS snapshot attributes.
- 2.
Update Permissions:
- Use the AWS CLI or the AWS Management Console to modify the permissions of the RDS snapshots.
- Make sure to remove public access and restrict access to authorized accounts or networks.
- 3.
Verify Changes:
- Validate that the RDS snapshots no longer have public access.
- Check the snapshot attributes to confirm the changes.
- 4.
Repeat for Other Snapshots:
- If there are multiple RDS snapshots, repeat the above steps for each snapshot to ensure all are compliant with the rule.
- 5.
Monitor and Maintain:
- Regularly review and audit the permissions of RDS snapshots to ensure ongoing compliance.
- Implement a robust security monitoring system to promptly detect any unauthorized access attempts or changes to snapshot permissions.
Note: Please ensure that you thoroughly understand the AWS CLI commands and their potential impact before executing them in your environment. Adjust the commands as necessary based on your specific requirements and configurations.