RDS should not have Public Interface

RDS should not be defined with public interface. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.

Risk Level: Critical
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.NET.16
Covered by Spectral: Yes
Category: Database

GSL LOGIC

RDS should not have isPublic = 'true'

REMEDIATION

From Portal
Use following steps to verify connectivity settings for RD databases.

  1. Login to AWS console and Navigate to RDS.
  2. In the left navigation, select Databases.
  3. Select RDS instance that you want to edit.
  4. In Connectivity & security, within Public accessibility section, Verify value as No.

Use following steps to disable public access for RDS databases.

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.
  2. In the navigation pane, choose Databases, and then choose the DB instance that you want to modify.
  3. Choose Modify. The Modify DB instance page appears.
  4. Click 'Additional configuration' under 'Connectivity' section.
  5. Select 'Not publicly accessible'.
  6. Choose 'Continue' and check the summary of modifications.
  7. Choose Modify DB instance to save your changes.

From TF

resource "aws_db_instance" "example" {
	..
	publicly_accessible = false
	..
}

From Command Line
For Linux, macOS, or Unix: Use following command to disable Publicly Accessible for the RDS instance.

aws rds modify-db-instance --db-instance-identifier DB_INSTANCE --no-publicly-accessible

For Windows: Use following command to disable Publicly Accessible for the RDS instance.

aws rds modify-db-instance --db-instance-identifier DB_INSTANCE --no-publicly-accessible

References

  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CIS Foundations v. 1.5.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset