Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS Snapshots Should Prohibit Public Access

Ensure RDS snapshots prohibit public access to maintain critical compliance standards.

RuleRDS snapshots should prohibit public access
FrameworkPCI v3.2.1
Severity
Critical

Rule Description

RDS (Relational Database Service) snapshots should prohibit public access to ensure compliance with Payment Card Industry Data Security Standard (PCI DSS) version 3. Publicly accessible RDS snapshots can expose sensitive data and increase the risk of unauthorized access, potentially resulting in a data breach.

Remediation Steps

To enforce this rule and restrict public access to RDS snapshots, follow the steps below:

Step 1: Access AWS Management Console

  2. 1.
    Go to the AWS Management Console (https://console.aws.amazon.com/).

Step 2: Navigate to RDS Service

  2. 1.
    Click on the "Services" menu at the top of the console.
  4. 2.
    Select "RDS" under the "Database" section to open the RDS service.

Step 3: Select the RDS Snapshot

  2. 1.
    In the RDS Dashboard, select the region where the RDS snapshot is located using the region selector in the navigation bar.
  4. 2.
    Click on "Snapshots" from the left-hand menu to view a list of available snapshots.

Step 4: Modify Snapshot Permissions

  2. 1.
    Locate the RDS snapshot for which you want to restrict public access.
  4. 2.
    Click on the checkbox next to the snapshot name to select it.
  6. 3.
    Click on the "Modify Snapshot Permissions" button above the snapshot list.

Step 5: Remove Public Access

  2. 1.
    In the "Share Snapshot" dialog box, under the "Access Type" section, uncheck the box next to "Public".
  4. 2.
    Ensure that "Private" is selected.
  6. 3.
    Click on the "Add Account ID" button if you want to restrict access to specific AWS accounts or IAM users.
  8. 4.
    Click on the "Save" button to apply the changes.

Troubleshooting

If you encounter any issues or if the changes are not applied as expected, consider the following troubleshooting steps:

  2. 1.
    Permission Error: Make sure you have the necessary permissions (such as 
    rds:ModifyDBSnapshotAttribute
    ) to modify snapshot permissions. Contact your AWS account administrator or IAM administrator if needed.
  4. 2.
    Snapshot Not Found: Double-check the region and snapshot name to ensure you are modifying the correct snapshot.
  6. 3.
    Public Access Still Present: If after modifying the snapshot permissions, public access is still available, review your VPC security groups and NACLs (Network Access Control Lists) associated with the RDS instance to ensure they are correctly configured to restrict public access.

Code Example (AWS CLI)

You can also use the AWS Command Line Interface (CLI) to modify RDS snapshot permissions. Here's an example command:

aws rds modify-db-snapshot-attribute --region <region-name> --db-snapshot-identifier <snapshot-identifier> --attribute-name restore --values-to-add '[]' --values-to-remove Public

Replace 

<region-name>
with the appropriate AWS region code and 
<snapshot-identifier>
with the identifier of the snapshot you want to modify.

Make sure you have the AWS CLI installed and configured with appropriate credentials before executing the command.

Note

The exact steps and commands may vary depending on your AWS Management Console version, but the overall concepts and actions remain the same.

Is your System Free of Underlying Vulnerabilities?
Find Out Now