Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures RDS DB instances do not allow public access to protect sensitive data
| Rule | RDS DB instances should prohibit public access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
To comply with NIST 800-53 Revision 5, RDS (Relational Database Service) DB instances should prohibit public access. Public access refers to the accessibility of the DB instance through the internet, allowing unauthorized users to potentially access the database.
Enabling public access can lead to security vulnerabilities, including unauthorized access, data breaches, and the potential for malicious activities. To ensure the security of the RDS DB instance and to adhere to the NIST 800-53 Revision 5 guidelines, it is essential to configure the necessary settings to prohibit public access.
Troubleshooting Steps:
If public access is detected for an RDS DB instance, follow these troubleshooting steps to address the issue:
- 1.
Verify current access settings:
- From the AWS Management Console, navigate to the RDS service.
- Select the appropriate DB instance.
- Check the "Connectivity & security" tab to determine if public access is enabled.
- 2.
Disabling public access:
- If public access is enabled, do the following:
- Modify the DB instance settings to remove the public accessibility option.
- Update the associated security groups to ensure inbound traffic is restricted to authorized sources only.
Necessary Codes:
In some cases, modifying the DB instance and security group settings may require executing CLI commands. Use the following code examples as a reference:
- 1.Disable public accessibility for an RDS DB instance using the AWS CLI:
aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --no-publicly-accessible
Replace
<DB_INSTANCE_ID>- 1.Update the security group rules to allow access only from authorized sources:
aws ec2 authorize-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port <PORT_NUMBER> --cidr <AUTHORIZED_CIDR>
Replace
<SECURITY_GROUP_ID><PORT_NUMBER><AUTHORIZED_CIDR>Remediation Steps:
To remediate the RDS DB instance and prohibit public access, follow these step-by-step guidelines:
- 1.
Login to the AWS Management Console.
- 2.
Navigate to the RDS service.
- 3.
Identify the target DB instance that allows public access.
- 4.
Select the DB instance.
- 5.
In the "Connectivity & security" tab, verify if the "Publicly accessible" option is enabled.
- 6.
If enabled, click "Modify" at the top-right corner.
- 7.
In the "Modify DB instance" dialog, uncheck the "Publicly accessible" option.
- 8.
Review other settings if necessary and click "Continue."
- 9.
Review the summary and click "Modify DB instance."
- 10.
Wait for the modification to complete.
- 11.
Update the security group associated with the DB instance to allow access from authorized sources only.
- 12.
Navigate to the EC2 service.
- 13.
Select "Security Groups" from the left-hand panel.
- 14.
Locate and select the security group associated with the DB instance.
- 15.
Click the "Inbound Rules" tab.
- 16.
Review the existing rules and identify any rules allowing unrestricted access (
or0.0.0.0/0
).::/0 - 17.
To remove a rule, select it and click "Delete" at the bottom of the table.
- 18.
To add authorized rules, click "Edit inbound rules" and then "Add rule."
- 19.
Specify the protocol, port range, and authorized CIDR block to restrict access appropriately.
- 20.
Click "Save rules" to apply the changes.
By following these steps, you can remediate the RDS DB instance to prohibit public access, aligning with NIST 800-53 Revision 5 guidelines.