Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures RDS DB instances do not allow public access to maintain security standards.
| Rule | RDS DB instances should prohibit public access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
RDS (Relational Database Service) DB instances should restrict public access to enhance the security and compliance of the system. This rule specifically applies to DB instances that are required to comply with the Federal Risk and Authorization Management Program (FedRAMP) Low security level, Revision 4.
Reason:
Public accessibility exposes the DB instance to potential threats and increases the risk of unauthorized access, data breaches, and other security incidents. To ensure compliance with FedRAMP Low Revision 4, it is crucial to restrict public access to the RDS DB instances.
Remediation:
Follow the step-by-step guide provided below to remediate and prohibit public access for the RDS DB instances:
1. Identify RDS DB instances open to the public:
Run the following AWS CLI command to retrieve the list of RDS DB instances accessible to the public:
aws rds describe-db-instances --query "DBInstances[?PubliclyAccessible=='true']"
Note down the ARN and other relevant details of the RDS DB instances returned by the above command.
2. Modify Security Group rules:
a. Identify the associated Security Group:
To identify the Security Group(s) associated with the RDS DB instance, run the following AWS CLI command:
aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID> --query "DBInstances[].VpcSecurityGroups[*].VpcSecurityGroupId"
Replace
<DB_INSTANCE_ID>b. Revoke public access:
Run the following AWS CLI command to revoke public access from the Security Group(s) associated with the RDS DB instance:
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port <PORT> --cidr 0.0.0.0/0
Replace
<SECURITY_GROUP_ID><PORT>Repeat this step for all Security Groups associated with the RDS DB instance.
3. Verify changes:
After making the necessary changes, verify that the RDS DB instance no longer permits public access. To do this, re-run the command from step 1, and ensure that the returned list does not include the previously identified RDS DB instances.
Troubleshooting:
- 1.
If no RDS DB instances are listed in step 1, it means that all instances are already not publicly accessible, diminishing the need for further action.
- 2.
In case the AWS CLI commands fail or do not return the expected results, ensure that you have the necessary permissions to perform the described actions. You should have the required IAM (Identity and Access Management) permissions associated with your AWS account.
- 3.
If there are any complications or issues in understanding or implementing the steps, reach out to the AWS support team or your organization's designated AWS administrator for assistance.
Summary:
By following the steps above, you can successfully enforce the prohibition of public access for RDS DB instances required to comply with FedRAMP Low Revision 4. This helps mitigate security risks, enhances compliance, and ensures the confidentiality and integrity of your database resources.