Ensure that AWS DB Security Group does not allow public access
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to the RDS database.
Risk Level: High
Cloud Entity: DB Security Group
CloudGuard Rule ID: D9.CFT.NET.08
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
AWS_RDS_DBSecurityGroup should not have DBSecurityGroupIngress contain-any [ CIDRIP='0.0.0.0/0' ]
REMEDIATION
From CFT
Set AWS::RDS::DBSecurityGroup CIDRIP
property to be a specific IP or a range
References
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-rds.html#scenario-rds-security-group-cidr
DB Security Group
DB security groups are used with DB instances that are not in a VPC and on the EC2-Classic platform. Each DB security group rule enables a specific source to access a DB instance that is associated with that DB security group. The source can be a range of addresses (for example, 203.0.113.0/24), or an EC2-Classic security group. When you specify an EC2-Classic security group as the source, you allow incoming traffic from all EC2 instances that use that EC2-Classic security group. DB security group rules apply to inbound traffic only; outbound traffic is not currently permitted for DB instances.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago