Unrestricted MySQL Access Should Not Be Allowed

More Info:

No security group should allow unrestricted inbound access to TCP port 3306 (MySQL).

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, HITRUST, AWSWAF, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the unrestricted MySQL access issue in AWS using AWS CLI, follow the below steps:Step 1: Open the AWS CLI and run the following command to list all the security groups in your AWS account:

aws ec2 describe-security-groups

Step 2: Identify the security group that has unrestricted MySQL access. You can filter the results using the following command:

aws ec2 describe-security-groups --filters Name=ip-permission.protocol,Values=tcp Name=ip-permission.to-port,Values=3306 Name=ip-permission.cidr,Values='0.0.0.0/0'

This command will list all the security groups that have unrestricted MySQL access.Step 3: Once you have identified the security group, run the following command to revoke the MySQL access:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3306 --cidr 0.0.0.0/0

Replace <security-group-id> with the ID of the security group that you want to remediate.Step 4: Verify that the MySQL access has been revoked by running the following command:

aws ec2 describe-security-groups --group-ids <security-group-id>

This command will list the details of the security group that you have remediated.That’s it. You have successfully remediated the unrestricted MySQL access issue in AWS using AWS CLI.

Using Python

To remediate unrestricted MySQL access in AWS using Python, you can follow these steps:

Import the necessary libraries:

import boto3
from botocore.exceptions import ClientError

Create an AWS client for the RDS service:

rds = boto3.client('rds')

Get a list of all RDS instances:

try:
    response = rds.describe_db_instances()
    instances = response['DBInstances']
except ClientError as e:
    print(e)
    exit(1)

Loop through each RDS instance and modify its security group to remove unrestricted MySQL access:

for instance in instances:
    db_instance_identifier = instance['DBInstanceIdentifier']
    db_security_groups = instance['DBSecurityGroups']
    for security_group in db_security_groups:
        if security_group['DBSecurityGroupName'] == 'default':
            try:
                response = rds.revoke_db_security_group_ingress(
                    DBSecurityGroupName='default',
                    EC2SecurityGroupId=security_group['EC2SecurityGroups'][0]['EC2SecurityGroupId'],
                    CIDRIP='0.0.0.0/0',
                    DBProtocol='tcp',
                    DBPortNumber=3306
                )
                print(f"Revoked unrestricted MySQL access for {db_instance_identifier}")
            except ClientError as e:
                print(e)
                exit(1)

This code will loop through each RDS instance and its associated security groups. If the default security group is found, it will revoke any inbound rules that allow unrestricted MySQL access (i.e. from any IP address). The code will print a message for each instance where unrestricted MySQL access was revoked.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unrestricted MySQL Access Should Not Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: