AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
DocumentDB Custer Snapshots Should Not Be Public
More Info:
Checks if Amazon DocumentDB manual cluster snapshots are public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
Risk Level
Medium
Address
Observability
Compliance Standards
CBP,SEBI
Triage and Remediation
Remediation
To remediate the issue of DocumentDB Cluster Snapshots being public in AWS RDS using the AWS Management Console, follow these steps:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in with your credentials.
-
Navigate to DocumentDB Service: Click on the “Services” dropdown menu at the top left corner of the console, then select “DocumentDB” under the Database category.
-
Select DocumentDB Cluster: From the DocumentDB dashboard, select the DocumentDB cluster for which you want to remediate the public snapshot issue.
-
Modify Snapshot Settings:
- In the left-hand navigation pane, click on “Snapshots” to view the list of snapshots associated with the selected cluster.
- Identify the public snapshot(s) that need to be remediated.
- Select the public snapshot by clicking on the checkbox next to it.
-
Update Snapshot Permissions:
- Click on the “Actions” dropdown menu above the list of snapshots.
- Select “Modify Snapshot Attribute” from the dropdown menu.
- In the Modify Snapshot Attribute window, uncheck the option for “Public” to make the snapshot private.
- Click on the “Modify Snapshot Attribute” button to save the changes.
-
Verify Changes:
- Once the modification is complete, verify that the snapshot is no longer public by checking the snapshot permissions.
- You can also try accessing the snapshot URL to confirm that it is no longer accessible publicly.
-
Repeat for Other Public Snapshots: If there are multiple public snapshots across different clusters, repeat the above steps for each affected snapshot to ensure all snapshots are private.
By following these steps, you can remediate the issue of DocumentDB Cluster Snapshots being public in AWS RDS using the AWS Management Console.
To remediate the issue of DocumentDB Cluster Snapshots being public in AWS RDS, you can follow these steps using the AWS CLI:
Step 1: List all the DocumentDB Cluster Snapshots
aws rds describe-db-cluster-snapshots --query 'DBClusterSnapshots[*].[DBClusterSnapshotIdentifier]' --output text
Step 2: Modify the permissions of the DocumentDB Cluster Snapshots to make them private
aws rds modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snapshot-identifier> --attribute-name restore --values-to-add all
Replace <snapshot-identifier> with the identifier of the DocumentDB Cluster Snapshot you want to modify.
Step 3: Verify that the permissions have been modified successfully
aws rds describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier <snapshot-identifier>
Repeat steps 2 and 3 for each DocumentDB Cluster Snapshot that needs to be remediated.
By following these steps, you can ensure that your DocumentDB Cluster Snapshots are no longer public and have the appropriate permissions set to maintain the security of your AWS RDS resources.
To remediate the issue of DocumentDB cluster snapshots being public in AWS RDS using Python, you can follow these steps:
-
Identify the Public Snapshots: Use the AWS SDK for Python (Boto3) to list all the DocumentDB cluster snapshots in your account and identify which snapshots are public.
-
Modify Snapshot Permissions: For each public snapshot identified, modify the permissions to make them private. You can do this by removing the “all” permission grants and adding specific AWS account IDs or IAM roles that should have access to the snapshots.
Here is a sample Python script to help you achieve this:
import boto3
def remediate_public_snapshots():
client = boto3.client('rds')
# List all DocumentDB cluster snapshots
response = client.describe_db_cluster_snapshots()
for snapshot in response['DBClusterSnapshots']:
snapshot_identifier = snapshot['DBClusterSnapshotIdentifier']
snapshot_arn = snapshot['DBClusterSnapshotArn']
# Check if the snapshot is public
if snapshot['PubliclyAccessible']:
print(f"Snapshot {snapshot_identifier} is public. Modifying permissions...")
# Revoke public access
response = client.modify_db_cluster_snapshot_attribute(
DBClusterSnapshotIdentifier=snapshot_identifier,
AttributeName='restore',
ValuesToRemove=['all']
)
print(f"Snapshot {snapshot_identifier} permissions updated.")
else:
print(f"Snapshot {snapshot_identifier} is private.")
if __name__ == '__main__':
remediate_public_snapshots()
Make sure to install the boto3 library by running pip install boto3 before executing the script.
This script will identify all public DocumentDB cluster snapshots and modify their permissions to make them private. Make sure to run this script with appropriate AWS credentials and permissions to modify the snapshot attributes.