Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures that RDS snapshots do not have public access for better security measures.
| Rule | RDS snapshots should prohibit public access |
| Framework | HIPAA |
| Severity | ✔ Critical |
Rule Description: Prohibit Public Access to RDS Snapshots for HIPAA Compliance
Overview
Under the Health Insurance Portability and Accountability Act (HIPAA), protecting patients' sensitive health information is paramount. When using AWS RDS to store such information, it is critical to ensure that snapshots of the database instances are not publicly accessible. AWS RDS snapshots can contain sensitive data, and leaving them public can lead to data breaches and non-compliance with HIPAA regulations.
RDS Snapshots and Public Accessibility
Amazon RDS allows users to take snapshots of their database instances. These snapshots can be shared with specific AWS accounts or made public. However, for HIPAA-compliant applications, snapshots must not be publicly accessible due to the sensitive nature of the information they may contain.
Troubleshooting Steps if Public Access is Detected
- 1.
Identify Public Snapshots Use AWS Management Console, AWS CLI, or AWS API to list all snapshots and check their public accessibility status.
- 2.
Modify Snapshot Attributes If a snapshot is public, change its attributes to make it private.
- 3.
Audit and Monitor for Compliance Set up regular audits and monitoring using AWS services like AWS Config or third-party tools to ensure snapshots remain private.
- 4.
Implement IAM Policies Ensure IAM policies are in place to restrict who can modify snapshot permissions.
Necessary Codes and Commands
AWS CLI Commands
List all RDS Snapshots to Check Public Accessibility
aws rds describe-db-snapshots --query 'DBSnapshots[*].{ID:DBSnapshotIdentifier,PubliclyAccessible:Public}' --output tableModify a Snapshot to Remove Public Access
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-identifier> --attribute-name restore --values-to-remove all
Replace
<snapshot-identifier>AWS IAM Policy to Restrict Snapshot Public Access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "rds:ModifyDBSnapshotAttribute",
"Resource": "*",
"Condition": {
"StringEquals": { "rds:db-snapshot-attribute-public": "true" }
}
}
]
}
Step by Step Guide for Remediation
Step 1: Identify Public Snapshots
Using the provided AWS CLI command, identify any snapshots that have been marked as publicly accessible.
Step 2: Modify Snapshot Attributes
For each public snapshot, use the AWS CLI
modify-db-snapshot-attributeStep 3: Update IAM Policies
Update existing IAM policies to prevent modification of snapshot attributes that could make them public.
Step 4: Regular Audits and Monitoring
Set up ongoing monitoring with AWS Config rules or a similar service to ensure compliance and detect any changes to snapshot accessibility.
Step 5: Documentation and Procedures
Ensure documentation is up to date and procedures are in place to handle snapshot creation and permissions accordingly.
Adhering to this rule will help maintain HIPAA compliance and protect sensitive data stored within AWS RDS instances.