Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures that RDS snapshots do not have public access to prevent data breaches.
| Rule | RDS snapshots should prohibit public access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
This rule ensures that RDS (Relational Database Service) snapshots do not permit public access, in compliance with NIST 800-53 Revision 5 security guidelines. Publicly accessible RDS snapshots can expose sensitive data and pose significant security risks.
Troubleshooting Steps
If snapshots are found to be publicly accessible, follow these troubleshooting steps to remediate the issue:
- 1.
Identify the publicly accessible RDS snapshots: Use AWS CLI or AWS Management Console to identify the RDS snapshots with public accessibility.
- 2.
Determine the root cause: Check the snapshot permissions and associated IAM policies to identify how public access was granted.
- 3.
Review snapshot settings: Verify the DB snapshot settings and configurations to ensure that the "Publicly Accessible" option is disabled.
- 4.
Examine security group rules: Analyze the associated security group rules for the RDS instance to check for any incorrect ingress or egress rules allowing public access.
- 5.
Check IAM permissions: Review the IAM policies associated with the RDS snapshots to identify any misconfigurations or incorrect permissions.
Necessary Code
The following AWS CLI command can be used to identify publicly accessible RDS snapshots:
aws rds describe-db-snapshots --query 'DBSnapshots[?PubliclyAccessible==`true`]'
Remediation Steps
Follow these steps to remediate the issue of public access for RDS snapshots:
- 1.
Identify the affected RDS snapshots: Run the AWS CLI command mentioned above to identify the publicly accessible RDS snapshots.
- 2.
Disable public accessibility: Modify the affected RDS snapshot settings to disable public access using the following AWS CLI command:
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-identifier> --no-publicly-accessible
Replace
<snapshot-identifier>- 1.
Check security group rules: Review the associated security group rules for the RDS instance to ensure that there are no ingress or egress rules allowing public access. Modify the security group settings if necessary.
- 2.
Review IAM policies: Analyze the IAM policies associated with the RDS snapshots and ensure that only authorized users or roles have access to the snapshots.
- 3.
Regularly audit snapshots: Periodically check and audit the RDS snapshots to ensure that public access is not re-enabled.
By following these steps, you can successfully restrict public access to RDS snapshots and maintain compliance with NIST 800-53 Revision 5.