Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures that RDS snapshots do not allow public access, enhancing security measures.
| Rule | RDS snapshots should prohibit public access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
RDS snapshots should prohibit public access to comply with NIST 800-53 Revision 5 security standard. This rule ensures that the snapshots of your Amazon Relational Database Service (RDS) instances are not accessible by unauthorized users or the public internet. By restricting public access to RDS snapshots, you can prevent potential security breaches and safeguard sensitive data.
Enforcing this rule will provide additional layers of protection for your database backups and assist in meeting compliance requirements.
Troubleshooting Steps (if applicable)
- 1.Check the snapshot's current permissions and verify if it is publicly accessible.
- 2.Review the associated RDS instance's security group and network configuration to identify any potential misconfigurations that might allow public access.
- 3.Confirm the network connectivity settings for the RDS instance and ensure there are no unintended network ingress or egress rules that could lead to public exposure.
- 4.Verify if any IAM policies or S3 bucket policies allow public access to the snapshot.
- 5.Review AWS CloudTrail logs and VPC Flow Logs to investigate any unauthorized access attempts.
Necessary Code (if applicable)
No code is necessary for this rule. Configuration changes will be made using AWS Management Console or AWS Command Line Interface (CLI).
Remediation Steps
Follow these step-by-step instructions to remediate the RDS snapshot public access issue:
- 1.
Open the AWS Management Console and navigate to the Amazon RDS service.
- 2.
Select the appropriate region from the region selector in the upper-right corner of the console.
- 3.
Click on "Snapshots" in the left-hand navigation pane.
- 4.
Identify the target snapshot that needs remediation and click on its name.
- 5.
In the snapshot details page, check the "Permissions" section to verify if the snapshot is publicly accessible.
- 6.
If the snapshot is publicly accessible, click on the "Modify" button in the upper-right corner of the page.
- 7.
In the Modify Snapshot Permissions dialog box, scroll down to the "Share" section.
- 8.
Remove any entries in the "Public" field by clicking on the "X" icon beside them.
- 9.
Ensure that only approved AWS accounts or IAM users/roles with appropriate permissions are listed in the "Account ID" or "IAM User" fields respectively.
- 10.
Click on the "Save Changes" button to apply the modifications.
- 11.
After saving the changes, verify that the snapshot's permissions have been successfully updated and are no longer publicly accessible.
- 12.
Repeat the above steps for any other snapshots that require remediation.
Additional Recommendations
- Regularly review and audit the permissions of your RDS snapshots to ensure ongoing compliance with the security standard.
- Implement appropriate IAM policies, S3 bucket policies, and security group rules to restrict access to the RDS instances and associated resources.
- Follow AWS security best practices and guidelines to further enhance the overall security posture of your RDS infrastructure.
- Monitor logs and set up alerts for any unauthorized access attempts or suspicious activities related to your RDS snapshots.