RDS Databases with Direct Connect virtual interface should not have public interfaces

Ensure that RDS databases with direct connect virtual interface should not have public interfaces

Risk Level: Critical
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.NET.28
Covered by Spectral: Yes
Category: Database

GSL LOGIC

RDS where vpc.vpnGateways contain [directConnectVirtualInterfaces] should have isPublic=false

REMEDIATION

From Portal
First of all, check the public virtual interfaces under direct connect service

  1. Login to the AWS Management Console.
  2. Select direct connect service and go to virtual interfaces tab
  3. Verify if any public virtual interface is associated with any RDS databases.
  4. Make sure to fix the configuration to avoid public internet routing through your direct connect interfaces.

References

  1. https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html
  2. For creating private virtual interface: https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset