Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures that RDS snapshots do not allow public access for better security measures.
| Rule | RDS snapshots should prohibit public access |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
Rule Description:
RDS (Relational Database Service) snapshots should prohibit public access for FedRAMP Moderate Revision 4 compliance. This policy ensures that any RDS snapshot created within the AWS account adheres to security best practices by disallowing public access.
Remediation Steps:
To remediate the issue, follow the steps below:
- 1.
Log in to the AWS Management Console.
- 2.
Open the Amazon RDS service.
- 3.
From the navigation pane, click on "Snapshots."
- 4.
Select the snapshot that needs to be modified for compliance.
- 5.
Click on the "Actions" dropdown menu, and then select "Modify Snapshot Permissions."
- 6.
In the "Modify Snapshot Permissions" window, uncheck the option that allows "Public" access to the snapshot.
- 7.
Click "Save" to apply the changes.
- 8.
Repeat the above steps for all RDS snapshots that require public access prohibition.
Troubleshooting Steps:
If you encounter any issues while modifying the snapshot permissions, consider the following troubleshooting steps:
- 1.
Verify that you have the necessary permissions to modify RDS snapshots. Ensure that your IAM (Identity and Access Management) user or role has the required privileges.
- 2.
Check if you have selected the correct snapshot. Double-check the snapshot name and verify that it is the one that requires public access prohibition.
- 3.
Confirm that there are no ongoing operations or maintenance tasks running on the selected snapshot. Wait for any actions to complete before attempting to modify the permissions.
- 4.
If there are multiple AWS accounts involved, ensure that the account you are using to modify the snapshot permissions has appropriate cross-account access.
- 5.
If none of the above troubleshooting steps resolve the issue, consider reaching out to AWS Support for further assistance.
AWS CLI Commands:
The following AWS CLI command can be used to modify the snapshot permissions:
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-identifier> --attribute-name restore --values-to-add <AWS-account-ID>
Ensure you replace
<snapshot-identifier><AWS-account-ID>Remember to configure the AWS CLI with appropriate credentials and region before executing the command.
Note: AWS CLI commands are provided as a convenient alternative to the AWS Management Console, but familiarity with the CLI is assumed.