More Info:

No security group should allow unrestricted inbound access to TCP port 1521 (Oracle Database).

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, HITRUST, AWSWAF, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the issue of unrestricted Oracle access in AWS, you can follow the below steps:
  1. Open the AWS Management Console and navigate to the RDS service.
  2. Select the affected RDS instance and click on the “Modify” button.
  3. Scroll down to the “Network & Security” section and click on the “Additional Configuration” tab.
  4. In the “Additional Configuration” tab, locate the “Publicly Accessible” option and set it to “No”.
  5. Next, locate the “VPC Security Group” option and select the appropriate security group that allows access only to the required IP addresses or CIDR ranges.
  6. Click on the “Continue” button and review the changes. If everything is correct, click on the “Modify DB Instance” button to apply the changes.
  7. After the changes have been applied, verify that the RDS instance is no longer publicly accessible and that access is restricted to the required IP addresses or CIDR ranges.
By following these steps, you can remediate the issue of unrestricted Oracle access in AWS and ensure that your RDS instance is secure.

To remediate the unrestricted Oracle access issue in AWS, you can follow the below steps using AWS CLI:
  1. Connect to your AWS account using AWS CLI.
  2. Identify the security group that allows unrestricted Oracle access. You can use the following command to list all security groups in your AWS account: 
aws ec2 describe-security-groups
  1. Once you have identified the security group, use the following command to update the inbound rules of the security group to restrict access to Oracle:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1521 --cidr 0.0.0.0/0
This command will remove the inbound rule that allows unrestricted access to Oracle on port 1521 from any IP address.
  1. After running the above command, you can verify that the rule has been removed by running the following command:
aws ec2 describe-security-groups --group-ids <security-group-id>
This command will display the details of the security group, including the inbound rules.
  1. Finally, you should test the Oracle access to ensure that it is restricted as expected. If necessary, you can modify the security group rules further to allow access only from specific IP addresses or networks.
To remediate the “Unrestricted Oracle Access Should Not Be Allowed” misconfiguration in AWS using Python, you can follow these steps:
  1. Install the Boto3 AWS SDK for Python:
!pip install boto3
  1. Use Boto3 to connect to the AWS account:
import boto3

session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY_ID',
    aws_secret_access_key='YOUR_SECRET_ACCESS_KEY',
    region_name='YOUR_REGION'
)

ec2 = session.client('ec2')
  1. Use the describe_security_groups method to get a list of all the security groups in the account:
response = ec2.describe_security_groups()
security_groups = response['SecurityGroups']
  1. Loop through the security groups and check if any of them have unrestricted Oracle access:
for sg in security_groups:
    for rule in sg['IpPermissions']:
        if rule['IpProtocol'] == 'tcp' and rule['FromPort'] == 1521 and rule['ToPort'] == 1521 and rule['IpRanges'] == [{'CidrIp': '0.0.0.0/0'}]:
            print(f"Security group {sg['GroupId']} has unrestricted Oracle access!")
  1. If you find a security group with unrestricted Oracle access, use the revoke_security_group_ingress method to remove the rule:
ec2.revoke_security_group_ingress(
    GroupId=sg['GroupId'],
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 1521,
            'ToPort': 1521,
            'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
        }
    ]
)
This will remove the unrestricted Oracle access from the security group.

Additional Reading: