Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Instances should prohibit public access

This rule ensures that RDS DB Instances do not allow public access for critical security measures.

RuleRDS DB Instances should prohibit public access
FrameworkPCI v3.2.1
Severity
Critical

Description:

The rule states that RDS (Amazon Relational Database Service) DB instances should prohibit public access to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 3. This is necessary to protect sensitive payment card information and prevent unauthorized access to the database.

Public access refers to the ability to access the RDS DB instance from the internet without any restrictions. It is important to restrict public access to only authorized and secure networks to maintain the confidentiality, integrity, and availability of PCI data.

Troubleshooting Steps:

  2. 1.
    Verify the current RDS DB instance security group settings.
  4. 2.
    Check if the "Publicly Accessible" parameter is set to "No."
  6. 3.
    Ensure that no inbound rules in the security group allow access from any IP address or the internet.
  8. 4.
    Confirm that the RDS DB instance does not have a public IP address assigned.

Necessary Codes:

There are no specific codes for this rule. The changes required can be made through the AWS Management Console or AWS Command Line Interface (CLI).

Remediation Steps:

The following steps outline the process to remediate this issue:

  2. 1.
    Open the AWS Management Console and navigate to the Amazon RDS service.
  4. 2.
    Select the RDS DB instance that needs to be modified.
  6. 3.
    Click on the "Modify" button to access the configuration settings.
  8. 4.
    Scroll down to the "Network & Security" section.
  10. 5.
    Set the "Publicly Accessible" parameter to "No."
  12. 6.
    Review the security group associated with the RDS DB instance.
  14. 7.
    Remove any inbound rules allowing access from 0.0.0.0/0 or the internet.
  16. 8.
    Save the changes by clicking on the "Modify DB Instance" button.

Alternatively, you can use the AWS CLI to modify the RDS DB instance:

  2. 1.
    Open the AWS CLI or appropriate terminal.
  4. 2.
    Run the following command to modify the RDS DB instance:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --publicly-accessible false

Replace 

<db-instance-id>
with the identifier of the RDS DB instance.

  2. 1.
    After modifying the publicly accessible parameter, review and update the associated security group rules accordingly.

Note: Make sure you have the necessary permissions to modify the RDS DB instance and associated security groups.

Verification:

To verify if the RDS DB instance no longer allows public access:

  2. 1.
    Access the AWS Management Console and navigate to the Amazon RDS service.
  4. 2.
    Select the modified RDS DB instance.
  6. 3.
    Look for the "Publicly Accessible" parameter, which should now reflect "No."
  8. 4.
    Review the security group rules and confirm that no inbound rules allow access from any IP address or the internet.
  10. 5.
    Ensure that the RDS DB instance does not have a public IP address assigned.

By following these steps, you have successfully prohibited public access to the RDS DB instance, ensuring compliance with PCI DSS v3.

Is your System Free of Underlying Vulnerabilities?
Find Out Now