Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures that RDS snapshots do not allow public access to maintain data security.
| Rule | RDS snapshots should prohibit public access |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
Ensuring RDS Snapshots Prohibit Public Access for CISA-Cyber-Essentials Compliance
Amazon RDS snapshots containing data can be a security risk if configured incorrectly. Making snapshots public exposes sensitive data to potential breaches. This guide covers how to secure your RDS snapshots, ensuring they are not publicly available, in alignment with CISA-Cyber-Essentials best practices.
Understanding the Policy
Rule Description
This rule aims to ensure that Amazon RDS (Relational Database Service) snapshots are not publicly accessible. Public snapshots can be copied or shared by any AWS user, leading to potential data leakage.
Verification Steps
Check Snapshot Accessibility
- 1.Log in to the AWS Management Console.
- 2.Navigate to the RDS Dashboard.
- 3.Select "Snapshots" from the left-hand menu.
- 4.Inspect each snapshot's "Public" status column; ensure they are set to "No".
AWS CLI Command
To list all snapshots and their public status:
aws rds describe-db-snapshots --query 'DBSnapshots[*].[DBSnapshotIdentifier,Public]' --output table
Remediation Steps
If any RDS snapshots are public, follow these steps to make them private:
- 1.Select the public snapshot.
- 2.Choose "Snapshot Actions".
- 3.Select "Modify Snapshot Access".
- 4.Remove the public accessibility option.
AWS CLI Command
To modify a snapshot's attribute to private:
aws rds modify-db-snapshot-attribute \ --db-snapshot-identifier <snapshot-id> \ --attribute-name restore \ --values-to-remove all
Replace
<snapshot-id>Automation
AWS Config Rule
Configuring an AWS Config rule can automatically check the status of RDS snapshots:
- 1.Navigate to AWS Config.
- 2.Select "Rules" and then "Add rule".
- 3.Choose to create a custom rule.
- 4.For the trigger, select "Configuration changes".
- 5.Define the rule to check for 'publiclyAccessible' attribute on RDS snapshots.
Lambda Remediation
Create an AWS Lambda function triggered by AWS Config Rule that will:
- 1.Identify the public RDS snapshot.
- 2.Change the snapshot's public access setting.
- 3.Recheck the snapshot to confirm it is no longer public.
Code
Below is pseudocode for a Lambda function:
import boto3
def lambda_handler(event, context):
rds_client = boto3.client('rds')
snapshot_id = event['detail']['requestParameters']['dBInstanceIdentifier']
response = rds_client.describe_db_snapshots(DBSnapshotIdentifier=snapshot_id)
if response['DBSnapshots'][0]['Public'] == True:
rds_client.modify_db_snapshot_attribute(
DBSnapshotIdentifier=snapshot_id,
AttributeName='restore',
ValuesToRemove=['all']
)
This code requires actual permissions and error checking to execute as expected.
Compliance Monitoring
Regularly monitor the public access setting of RDS snapshots with automated audits using AWS Config, CloudTrail, or a periodic Lambda function that reports on snapshots' public status.
Conclusion
Ensuring that RDS snapshots are private is crucial for CISA-Cyber-Essentials compliance. Regular monitoring, timely remediation, and proper automation are necessary to maintain data security and integrity.
For increased search engine visibility, make sure that keywords related to AWS RDS, data security, and compliance are appropriately integrated within your website content, without overstuffing. Use meta descriptions with related keywords, alt text in images, and strategically placed headers (H1, H2, H3) with keyword-rich titles to improve SEO ranking while maintaining a user-friendly interface.