AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Unrestricted PostgreSQL Access Should Not Be Allowed
More Info:
No security group should allow unrestricted inbound access to TCP port 5432 (PostgreSQL Database).
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, GDPR, HITRUST, AWSWAF, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the unrestricted PostgreSQL access issue in AWS, you can follow the below steps:
- Go to the AWS Management Console and navigate to the RDS dashboard.
- Select the RDS instance that has unrestricted PostgreSQL access.
- Click on the “Modify” button.
- In the “Network & Security” section, select the “Additional Configuration” tab.
- Under “Security Group Rules,” locate the rule that allows unrestricted PostgreSQL access.
- Remove the rule by clicking on the “x” icon next to it.
- Add a new rule that allows access only from trusted sources.
- Click on the “Save Changes” button.
By following these steps, you can remediate the unrestricted PostgreSQL access issue in AWS and ensure that your PostgreSQL database is only accessible from trusted sources.
To remediate unrestricted PostgreSQL access in AWS, you can follow these steps using AWS CLI:
-
Open the AWS CLI and run the following command to get the security group ID of the security group associated with the PostgreSQL instance:
aws rds describe-db-instances --query 'DBInstances[*].VpcSecurityGroups[*].VpcSecurityGroupId' --output text -
Run the following command to get the ID of the security group:
aws ec2 describe-security-groups --filters Name=group-id,Values=<security-group-ID> --query 'SecurityGroups[*].{Name:GroupName,ID:GroupId}' --output table -
Run the following command to revoke the unrestricted access to PostgreSQL:
aws ec2 revoke-security-group-ingress --group-id <security-group-ID> --protocol tcp --port 5432 --cidr 0.0.0.0/0This command will revoke the inbound rule that allows unrestricted access to PostgreSQL.
-
Run the following command to verify that the unrestricted access has been revoked:
aws ec2 describe-security-groups --filters Name=group-id,Values=<security-group-ID> --query 'SecurityGroups[*].IpPermissions'This command will show the current inbound rules for the security group. You should see that the rule allowing unrestricted access to PostgreSQL has been removed.
By following these steps, you have successfully remediated the unrestricted PostgreSQL access in AWS.
To remediate the unrestricted PostgreSQL access issue in AWS, you can use Python to create a security group that allows access to the PostgreSQL instance only from a specific IP address or range of IP addresses. Here are the steps to do so:
- First, you need to create a new security group that will be used to restrict access to the PostgreSQL instance. You can do this using the
boto3library in Python. Here’s an example code snippet that creates a new security group:
import boto3
ec2 = boto3.resource('ec2')
# Create a new security group
security_group = ec2.create_security_group(
GroupName='PostgreSQLAccess',
Description='Restrict access to PostgreSQL instance'
)
# Add a rule to allow access to the PostgreSQL port (5432) from a specific IP address
security_group.authorize_ingress(
IpPermissions=[
{
'IpProtocol': 'tcp',
'FromPort': 5432,
'ToPort': 5432,
'IpRanges': [
{
'CidrIp': 'x.x.x.x/32' # Replace x.x.x.x with the specific IP address you want to allow access from
}
]
}
]
)
- Once you’ve created the new security group, you need to assign it to the PostgreSQL instance. You can do this using the
modify_db_instancemethod from theboto3library. Here’s an example code snippet that assigns the new security group to the PostgreSQL instance:
import boto3
rds = boto3.client('rds')
# Modify the PostgreSQL instance to use the new security group
response = rds.modify_db_instance(
DBInstanceIdentifier='your-instance-id', # Replace with your PostgreSQL instance ID
VpcSecurityGroupIds=[
security_group.id
]
)
- Finally, you can verify that the access to the PostgreSQL instance has been restricted by checking the security group rules associated with the instance. You can do this using the
describe_db_instancesmethod from theboto3library. Here’s an example code snippet that checks the security group rules:
import boto3
rds = boto3.client('rds')
# Get the PostgreSQL instance details
response = rds.describe_db_instances(
DBInstanceIdentifier='your-instance-id' # Replace with your PostgreSQL instance ID
)
# Get the security group IDs associated with the instance
security_group_ids = response['DBInstances'][0]['VpcSecurityGroups']
# Print the security group rules associated with each security group
for security_group_id in security_group_ids:
response = ec2.describe_security_groups(
GroupIds=[
security_group_id['VpcSecurityGroupId']
]
)
print(response['SecurityGroups'][0]['IpPermissions'])
This code will print the security group rules associated with each security group, which should show that access to the PostgreSQL port (5432) is only allowed from the specific IP address or range of IP addresses that you specified in the security group rule.