Rule: RDS Snapshots Should Prohibit Public Access

This rule ensures that RDS snapshots do not allow public access to prevent unauthorized users from accessing sensitive data.

Rule	RDS snapshots should prohibit public access
Framework	FedRAMP Low Revision 4
Severity	✔ Critical

Rule Description:

This rule ensures that RDS (Relational Database Service) snapshots are not publicly accessible. Specifically, this rule applies to RDS snapshots within an AWS account that are subject to compliance with the FedRAMP Low requirements, specifically Revision 4.

Reasoning:

Prohibiting public access to RDS snapshots enhances the security and confidentiality of the data stored in the database backups. Allowing public access increases the risk of unauthorized access and potential data breaches. Compliance with the FedRAMP Low requirements ensures the implementation of necessary security measures for protecting sensitive information.

Steps to troubleshoot if public access is enabled:

1.
Identify the affected RDS snapshot by checking its settings or tags.

2.
Verify the associated security group rules to ensure there are no public ingress rules allowing access from any source (e.g., 0.0.0.0/0 or ::/0).

3.
Validate the Network Access Control List (NACL) rules for the subnet associated with the RDS instance, confirming that no inbound rules permit access from outside the desired network range.

4.
Review the VPC (Virtual Private Cloud) endpoint configurations and ensure that there are no public endpoints allowing access to RDS snapshots.

Remediation Steps:

To remediate and prohibit public access for the affected RDS snapshot, follow these steps:

Method 1: Using the AWS Management Console

1.
Go to the Amazon RDS console.

2.
Navigate to the "Snapshots" section.

3.
Find the RDS snapshot in question.

4.
Select the snapshot by clicking the checkbox next to it.

5.
In the "Actions" dropdown menu, click on "Modify Snapshot Permissions."

6.
Ensure that the snapshot is not shared with any AWS account that you don't want to grant access to.

7.
Click "Save" to update the permissions and prohibit public access.

Method 2: Using AWS CLI (Command Line Interface)

1.
Open the Terminal or Command Prompt.

2.
Run the following AWS CLI command to modify the snapshot permissions for the affected RDS snapshot:

aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-identifier> --attribute-name restore --values-to-add <your-aws-account-id>

Replace

<snapshot-identifier>

with the identifier of the RDS snapshot and

<your-aws-account-id>

with your AWS account ID.

1.
After executing the command, verify that the snapshot's permissions have been updated successfully.

Additional Notes:

Regularly monitor and audit the permissions of RDS snapshots to ensure ongoing compliance with the rule.
Consider enabling encryption for RDS snapshots to further enhance the security of the backup data.
Document the changes made, including the date and the person responsible, for audit and tracking purposes.

Rule: RDS Snapshots Should Prohibit Public Access

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Method 1: Using the AWS Management Console

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Method 2: Using AWS CLI (Command Line Interface)

Is your System Free of Underlying Vulnerabilities? Find Out Now

Method 1: Using the AWS Management Console

Method 2: Using AWS CLI (Command Line Interface)

Is your System Free of Underlying Vulnerabilities?
Find Out Now