Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures that RDS DB instances do not allow public access, enhancing security.
| Rule | RDS DB instances should prohibit public access |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ High |
Rule Description:
The rule mandates that Amazon RDS DB instances should not have public access enabled in order to comply with the security requirements outlined in NIST 800-53 Revision 4.
Enabling public access can expose sensitive database information to unauthorized entities, increasing the risk of unauthorized access, data breaches, or malicious activities.
Troubleshooting Steps:
If public access is enabled for an RDS DB instance, you may encounter issues or potential vulnerabilities. To troubleshoot and address this, follow the steps below:
- 1.Verify RDS DB Instance Security Group: Ensure that the RDS DB instance is associated with a security group that restricts public access.
- 2.Verify Inbound Rules: Check the inbound rules of the associated security group to ensure that it does not allow access from any public IP addresses or CIDR blocks.
- 3.Check VPC Network ACLs: If the security group is properly configured, verify the associated VPC Network ACLs (if applicable) to ensure there are no permissive inbound rules allowing public access.
- 4.Check RDS Instance Settings: Review the configuration settings of the RDS DB instance and examine the network-related settings. Ensure that the "Publicly Accessible" parameter is set to "false" to prohibit public access.
- 5.Perform Penetration Testing: Conduct thorough penetration testing against the RDS DB instance to identify any potential vulnerabilities or misconfigurations.
Remediation:
To remediate this issue and enforce the rule compliance, follow the steps below:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the Amazon RDS service.
- 3.Select the relevant RDS DB instance from the list.
- 4.Click on "Modify" to edit the configuration of the selected DB instance.
- 5.In the "Network & Security" section, locate the "Publicly Accessible" parameter.
- 6.Set the parameter value to "No" or "False" to disable public access.
- 7.Review other configuration settings if necessary and make any required changes.
- 8.Click on "Apply Changes" to save the modified configuration.
Once the above steps are completed, the RDS DB instance will have public access disabled, ensuring compliance with NIST 800-53 Revision 4.
Additional Notes:
- Ensure that necessary firewall rules are in place to only allow access from trusted IP addresses or specific CIDR blocks.
- Regularly review and audit the security group and network ACL configurations to detect any potential misconfigurations that may lead to public access.
- Regularly update and patch the RDS DB instance to protect against known vulnerabilities and security issues.
- Implement other security best practices, such as enabling encryption at rest and in transit, using strong database credentials, and disabling unnecessary database services or features.