Ensure that public access is not given to RDS Instance

RDS should not be open to a public scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.

Risk Level: Critical
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.NET.17
Covered by Spectral: Yes
Category: Database

GSL LOGIC

RDS where isPublic='true' should not have inboundRules with [scope isPublic()]

REMEDIATION

From Portal:
Use following steps to verify connectivity settings for RD databases.

  1. Login to AWS console and Navigate to RDS.
  2. In the left navigation, select Databases.
  3. Select RDS instance that you want to edit.
  4. In Connectivity & security, within Publicly accessible section, Verify value as No.
  5. Remove the public interface as well as limit the scope to the VPC If publicly accessible section value is Yes.
  6. Go to Security group rules section and click on each active security group name to select it for editing.
  7. On the VPC Security Groups page, select the Inbound rules tab from the bottom panel and click the Edit button to edit the selected security group ingress rules.
  8. In the Edit inbound rules dialog box, identify any inbound rules which have set the Source to Anywhere (0.0.0.0/0) and update them by using one of the following actions:
    To grant access to a certain IP address:
    a. Select Custom IP from the Source dropdown list.
    b. Enter the CIDR that you want to authorize in the Source field.
    c. Click the Save button to save the changes.
    To grant access to an EC2 Security Group:
    a. Select Custom IP from the Source dropdown list.
    b. Enter the EC2 security group ID that you want to authorize in the Source field.
    c. Click the Save button to save the changes.

From Command Line:

  1. Run following command to disable the Publicly Accessible flag for an RDS instance.
aws rds modify-db-instance --region region_name --db-instance-identifier RDS_instance_name --no-publicly-accessible --apply-immediately
  1. Run following command to revoke the VPC security group inbound rule with the public scope CIDR set to 0.0.0.0/0 that grants access to everyone.
aws ec2 revoke-security-group-ingress --region region_name --group-id security_group_id --protocol protocol_name --port port_name --cidr 0.0.0.0/0
  1. Run following command to authorize custom access based on IP/CIDR to the instances associated with the selected VPC security group (Instance access authorization based on IP/CIDR).
aws ec2 authorize-security-group-ingress --region region_name --group-id security_group_id --protocol protocol_name --port port_name --cidr specific_CIDR_value
  1. Run following command to authorize custom access based on existing EC2 security groups (Instance access authorization based on EC2 security group)
aws ec2 authorize-security-group-ingress --region region_name --group-id security_group_id --protocol protocol_name --port port_name --source-group source_security_group_id

References:

  1. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html
  2. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html
  3. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html
  4. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html
  7. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset