Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures RDS DB instances do not allow public access, maintaining security protocols.
| Rule | RDS DB instances should prohibit public access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
This rule ensures that RDS (Relational Database Service) DB instances within an AWS account are configured to prohibit public access. Publicly accessible DB instances have their network endpoints exposed to the public internet, which increases the risk of unauthorized access and potential security breaches. This rule is specifically designed to align with the guidelines provided in the Federal Risk and Authorization Management Program (FedRAMP) Low Revision 4 compliance requirements.
Troubleshooting Steps:
- 1.
Identify the list of RDS DB instances within the AWS account.
- 2.
Check whether each DB instance currently allows public access.
- 3.
Determine the reason for public access, if any.
- 4.
Analyze the security group associated with each DB instance to find any inbound rules allowing access from the public IP range (0.0.0.0/0).
- 5.
Verify if DB instances are part of a subnet that is publicly accessible.
- 6.
Verify if any Network Access Control Lists (ACLs) or route tables are permitting public internet traffic to reach the DB instance.
- 7.
Evaluate whether any DB parameter groups or option groups are configured to allow public access.
- 8.
Review the VPC (Virtual Private Cloud) configuration to ensure that the DB instance's security group is properly associated with subnets that are not publicly accessible.
Remediation:
To comply with the rule, follow these steps to prohibit public access to RDS DB instances:
- 1.
Identify the RDS DB instances that are publicly accessible:
aws rds describe-db-instances - 2.
For each publicly accessible DB instance, modify the associated security group to disallow public access:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-number> --source-ip 0.0.0.0/0Replace
with the actual security group ID associated with the RDS DB instance, and<security-group-id>
with the specific port number used for database connections (e.g., 3306 for MySQL).<port-number> - 3.
Optionally, if the DB instances are part of a public subnet, move them to a private subnet that does not have a route to the internet:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --vpc-security-group-ids <security-group-id1> --apply-immediatelyReplace
with the DB instance identifier and<db-instance-id>
with the ID of the desired security group for the private subnet.<security-group-id1> - 4.
After making the necessary changes, verify that public access has been successfully disabled for each DB instance:
aws rds describe-db-instancesEnsure that the output does not display any publicly accessible DB instances.
Conclusion:
By implementing the provided remediation steps, you can ensure that RDS DB instances in your AWS account align with the rule of prohibiting public access, as defined in the FedRAMP Low Revision 4 compliance requirements. Regularly monitoring the configuration and promptly addressing any deviations helps maintain the desired security posture for your RDS infrastructure.