Verify that there are no Amazon RDS database instances currently operational within the public subnets of our AWS Virtual Private Cloud (VPC).
Verify that AWS RDS database instances are exclusively deployed within private subnets of our VPC, as this practice safeguards them from direct internet exposure. Since Amazon handles their management, private subnets are the appropriate environment for these non-Internet-facing instances.
Risk Level: Low
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.NET.1003
Covered by Spectral: No
Category: Database
GSL LOGIC
RDS should not have nics contain [ subnet.routeTable.routes contain [ destinationCidrBlock='0.0.0.0/0' and gatewayId regexMatch /igw-.*/ ] ]
REMEDIATION
From Portal
- Navigate to Amazon RDS console.
- Choose the specific RDS instance you wish to scrutinize.
- Within the Connectivity & Security section of the instance settings, access the Subnets link.
- Select the subnet listed on the page and click the Route Table tab from the dashboard bottom panel.
- In the event that the route table displays any entries with a destination CIDR block configured as '0.0.0.0/0' and linked to an Internet Gateway (e.g., igw-xxxxxxxx).
- Return to the subnet listing, and once more, access the Route Table tab in the dashboard's lower panel. If such entries are identified, it implies that the chosen RDS database instance has been deployed within a public subnet. Consequently, it may not be operating within a logically isolated environment and could potentially be accessible from the broader Internet.
From TF
Please update cider_block and gateway_id in the TF code below:
resource 'aws_default_route_table' 'example' {
default_route_table_id = aws_vpc.example.default_route_table_id
route {
cidr_block = 'YOUR_IP'
gateway_id = 'YOUR_GATEWAY_ID'
}
From Command Line
Database Configuration Retrieval:
aws rds describe-db-instances '--YOUR_REGION' --db-instance-identifier '--YOUR_DB_IDENTIFIER' --query 'DBInstances[*].DBSubnetGroup.Subnets[]'
Subnet Configuration Verification
aws ec2 describe-route-tables '--YOUR_REGION' --filters 'Name=association.subnet-id , Values='YOUR_SUBNET_ID'' --query 'RouteTables[*].Routes[]'
Inspect the values of 'GatewayId' and 'DestinationCidrBlock' attributes in the output. If the route table contains entries with 'GatewayId' set to 'igw-xxxxxxxx' and 'DestinationCidrBlock' set to '0.0.0.0/0', it indicates that the selected RDS database instance has been provisioned within a public subnet. Consequently, it may not be operating within a logically isolated environment and may not align with AWS security best practices.
References
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table
- https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html
Amazon RDS
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.
Compliance Frameworks
- CloudGuard AWS All Rules Ruleset
Updated about 1 year ago