Rule: RDS DB instances should prohibit public access
This rule ensures RDS DB instances restrict public access to enhance security measures.
| Rule | RDS DB instances should prohibit public access |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
RDS DB Instances Public Access Prohibition for FedRAMP Moderate Revision 4
Description
As per the FedRAMP Moderate Revision 4 security standards, it is necessary to prohibit public access to the Amazon RDS (Relational Database Service) DB instances. Public access means that the DB instances can be accessed over the internet, which increases the risk of unauthorized access and potential data breaches.
Troubleshooting Steps
If public access is enabled for RDS DB instances in violation of the FedRAMP Moderate Revision 4 requirements, you can follow these troubleshooting steps to rectify the issue:
- 1.Identify the affected RDS DB instance(s) with public access enabled.
- 2.Review the instance settings to determine how public access was configured.
- 3.Assess the potential risks associated with public access to the DB instances.
- 4.Identify the source(s) of public access, such as a security group rule or an assigned Publicly Accessible attribute.
Necessary Codes
The following code can be used to check if public access is disabled for the RDS DB instances:
import boto3 client = boto3.client('rds') response = client.describe_db_instances() for instance in response['DBInstances']: if instance['PubliclyAccessible']: print("Public access is enabled for instance:", instance['DBInstanceIdentifier'])
Remediation Steps
- 1.
Identify the affected DB instances:
- Run the provided code snippet or navigate to the AWS Management Console and browse to the RDS service.
- Filter the instances to identify any with the "Publicly Accessible" attribute set to "Yes."
- 2.
Disable public access for the DB instances:
- Select the affected DB instance and click on the "Modify" button.
- In the "Network & Security" section, uncheck the "Publicly Accessible" option.
- Save the changes and wait for the modifications to be applied.
- 3.
Verify the changes:
- Once the modifications are complete, re-run the code snippet provided earlier or navigate to the AWS Management Console to ensure that public access is now disabled for the DB instance(s).
- Check the "Publicly Accessible" attribute and ensure it is set to "No" for each DB instance.
- 4.
Update security groups and network settings if necessary:
- If public access is disabled, but there are still network connectivity requirements, review and update the security group rules and network configurations accordingly to allow access only from trusted and secure sources.
Notes
- Disabling public access for RDS DB instances helps to ensure compliance with the FedRAMP Moderate Revision 4 security standards.
- By following the remediation steps, you reduce the risk of unauthorized access to your DB instances and enhance the security posture of your infrastructure.
- Remember to regularly review and audit your RDS instances' security configurations to maintain compliance and protect sensitive data.