Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures that RDS DB instances do not allow public access to enhance security measures.
| Rule | RDS DB instances should prohibit public access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
The rule requires Amazon RDS Database (RDS) instances to be configured in a way that prohibits public access as per the NIST 800-53 Revision 5 security standard. This is to ensure the confidentiality and integrity of the database and prevent unauthorized access or data breaches.
Troubleshooting Steps:
If public access is enabled for an RDS instance, follow the below steps to troubleshoot and rectify the issue:
- 1.
Review Security Group: Verify the inbound rules of the security group associated with the RDS instance. Ensure there are no rules that allow inbound traffic from public IP addresses or CIDR blocks.
- 2.
Check Internet Accessibility: Confirm that the RDS instance is not accessible publicly by attempting to connect to the instance using a public IP or DNS.
- 3.
Verify Subnet settings: Ensure that the RDS instance is not deployed in a public subnet. Public subnets have route tables associated with an Internet Gateway, allowing for public accessibility.
- 4.
Review VPC / Network ACL: Examine the Network Access Control List (ACL) associated with the RDS instance's subnet(s). Validate that it does not permit inbound and outbound traffic from public IP addresses.
Remediation:
To remediate the violation and enforce the prohibition of public access for RDS instances, follow the step-by-step guide below:
- 1.
Identify the RDS Instance: Determine the RDS instance that needs to be modified to prohibit public access.
- 2.
Update Security Group Rules: Open the Amazon RDS console or use the AWS Command Line Interface (CLI) to modify the security group associated with the RDS instance. Remove any inbound rules allowing access from public IP addresses or CIDR blocks. (Code example using AWS CLI:)
aws rds modify-db-instance --db-instance-identifier [instance-id] --vpc-security-group-ids [security-group-ids]
Replace
[instance-id][security-group-ids]- 1.
Verify Public Accessibility: Re-check the RDS instance's public accessibility to ensure it is no longer accessible from the internet.
- 2.
Move to Private Subnet: If the RDS instance is deployed in a public subnet, you should consider migrating it to a private subnet. Create a new subnet within the existing VPC and update the RDS instance's subnet group to utilize the new private subnet.
- 3.
Review Network ACL: Validate that the Network ACL associated with the RDS instance's subnet denies any inbound or outbound traffic from public IP addresses.
- 4.
Ensure VPC Security: To enhance security, verify that the existing VPC has appropriate security measures in place, including network security groups, NACLs, and routing tables.
- 5.
Regularly Monitor and Audit: Continuously monitor and audit the RDS instances for any public accessibility and promptly address any security misconfigurations.
By following these steps, you can successfully enforce the prohibition of public access for RDS instances and align with the requirements of the NIST 800-53 Revision 5 security standard.