Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures that RDS DB instances do not allow public access, maintaining data security.
| Rule | RDS DB instances should prohibit public access |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
According to NIST 800-171 Revision 2, RDS DB instances should prohibit public access. Public access to the database instances can increase the risk of unauthorized access, data breaches, and potential security vulnerabilities. It is important to ensure that the RDS DB instances are only accessible by authorized users and resources.
Troubleshooting Steps
Step 1: Verify the RDS DB instance's network settings
- 1.Go to the AWS Management Console and open the Amazon RDS service.
- 2.Select the appropriate region.
- 3.Click on "Databases" in the left sidebar.
- 4.Identify the RDS DB instance(s) you want to review.
- 5.Click on the DB instance name to view its details.
Step 2: Check the security group associated with the RDS DB instance
- 1.In the RDS instance details page, go to the "Connectivity & security" tab.
- 2.Under "Security" section, locate the security group associated with the RDS DB instance.
- 3.Note down the security group name for further troubleshooting.
Step 3: Review the security group settings
- 1.Open the Amazon VPC service in the AWS Management Console.
- 2.Select the appropriate region.
- 3.Click on "Security Groups" in the left sidebar.
- 4.Locate and select the security group identified in the previous step.
- 5.Review the inbound and outbound rules defined for the security group.
Step 4: Ensure there are no public access rules
- 1.In the selected security group, review the inbound rules.
- 2.Ensure that there are no rules allowing traffic from 0.0.0.0/0 or specific public IP ranges.
- 3.If any public access rules are found, delete or modify them accordingly.
Step 5: Verify the accessibility of the RDS DB instance
- 1.Access the RDS DB instance using appropriate methods such as connecting to it with a database client or application.
- 2.Confirm that the RDS DB instance is not accessible publicly.
- 3.Ensure that only authorized users and resources can connect to the RDS DB instance.
Code Samples
There are no specific code snippets required for this rule as it involves checking and configuring the network and security settings using the AWS Management Console.
Remediation Steps
To remediate the public access issue for an RDS DB instance:
- 1.Go to the AWS Management Console and open the Amazon RDS service.
- 2.Select the appropriate region.
- 3.Click on "Databases" in the left sidebar.
- 4.Identify the RDS DB instance(s) you want to update.
- 5.Click on the DB instance name to view its details.
- 6.In the instance details page, go to the "Connectivity & security" tab.
- 7.Under the "Security" section, click on the associated security group.
- 8.In the security group details page, review the inbound rules.
- 9.Remove any rules allowing public access, such as those with source IP of 0.0.0.0/0 or specific public IP ranges.
- 10.Save the changes.
- 11.Verify the accessibility of the RDS DB instance to ensure it is not accessible publicly.
- 12.Ensure that only authorized users and resources can connect to the RDS DB instance.
NOTE: It is recommended to follow the principle of least privilege when configuring the security group rules by allowing access only from specific trusted sources, such as specific IP addresses or security groups.