Ensure that RDS DB instances do not allow public access to enhance security.
Rule | RDS DB instances should prohibit public access |
Framework | FedRAMP Moderate Revision 4 |
Severity | ✔ High |
Rule Description
The RDS (Relational Database Service) DB instances should prohibit public access for FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4. This rule ensures that the DB instances are not accessible from the public internet, thereby enhancing the security and compliance of the system.
Troubleshooting Steps
If public access is mistakenly allowed to RDS DB instances, it can pose significant security risks. Here are some troubleshooting steps to ensure that public access is prohibited:
Verify Security Group Rules: Check the inbound rules of the associated security group for the RDS DB instance. Ensure that there are no open ports or rules that allow public access.
Confirm Subnet Configuration: Ensure that the RDS DB instance is not mistakenly placed in a public subnet. DB instances should be placed in private subnets that do not have direct access to the internet.
Review Network Access Control Lists (ACLs): Review the Network ACLs associated with the subnet where the RDS DB instance resides. Confirm that there are no rules allowing inbound/outbound access from/to the public internet.
Check VPC Peering and VPN Connections: If the RDS DB instance is connected to other VPCs or on-premises networks through VPC peering or VPN connections, validate that proper access controls are in place and public access is restricted.
Necessary Codes
In order to implement the rule of prohibiting public access for RDS DB instances, you can make use of the following code snippets:
AWS CLI
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --publicly-accessible false
AWS CloudFormation
Resources:
MyDBInstance:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: false
AWS CDK (TypeScript)
import * as rds from 'aws-cdk-lib/aws-rds';
const myDBInstance = new rds.DatabaseInstance(stack, 'MyDBInstance', {
// other properties
publiclyAccessible: false,
});
Remediation Steps
In order to remediate the issue of allowing public access for RDS DB instances, follow these step-by-step actions:
Identify the RDS DB instance(s) that need to have public access prohibited.
Access the AWS Management Console or use the AWS CLI to modify the RDS DB instance configuration.
Set the "Publicly Accessible" parameter to "False" for the identified DB instance(s). This configuration change will restrict public access to the DB instance.
Monitor the RDS DB instance to ensure that the desired changes have taken effect and public access is now prohibited.
By following these steps, you can successfully remediate the issue and ensure that public access is prohibited for the RDS DB instances, aligning with FedRAMP Moderate Revision 4 requirements.