Risk Level: Critical
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.NET.16
Covered by Spectral: Yes
Category: Database

GSL LOGIC

RDS should not have isPublic = 'true'

REMEDIATION

From Portal
Use following steps to verify connectivity settings for RD databases.

Login to AWS console and Navigate to RDS.
In the left navigation, select Databases.
Select RDS instance that you want to edit.
In Connectivity & security, within Public accessibility section, Verify value as No.

Use following steps to disable public access for RDS databases.

Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.
In the navigation pane, choose Databases, and then choose the DB instance that you want to modify.
Choose Modify. The Modify DB instance page appears.
Click 'Additional configuration' under 'Connectivity' section.
Select 'Not publicly accessible'.
Choose 'Continue' and check the summary of modifications.
Choose Modify DB instance to save your changes.

From TF

resource "aws_db_instance" "example" {
	..
	publicly_accessible = false
	..
}

From Command Line
For Linux, macOS, or Unix: Use following command to disable Publicly Accessible for the RDS instance.

aws rds modify-db-instance --db-instance-identifier DB_INSTANCE --no-publicly-accessible

For Windows: Use following command to disable Publicly Accessible for the RDS instance.

aws rds modify-db-instance --db-instance-identifier DB_INSTANCE --no-publicly-accessible

References

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

AWS CIS Controls V 8
AWS CIS Foundations v. 1.5.0
AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard Network Alerts for default VPC components
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS Dashboard System Ruleset
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS LGPD regulation
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset
CloudGuard AWS Default Ruleset