RDS DB Instances Should Not Be Provisioned in VPC Public Subnets
More Info:
No AWS RDS database instances should be provisioned inside VPC public subnets in order to protect them from direct exposure to the InternetRisk Level
HighAddress
SecurityCompliance Standards
SOC2, HITRUST, GDPR, NISTCSF, PCIDSS, FedRAMPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of having RDS DB instances provisioned in VPC public subnets in AWS, follow these steps using the AWS Management Console:
-
Identify RDS Instances in Public Subnets:
- Go to the AWS Management Console and navigate to the RDS service.
- Click on “Databases” from the left-hand menu to view all your RDS instances.
- Identify the RDS instances that are provisioned in VPC public subnets.
-
Create New Private Subnet:
- Go to the VPC service in the AWS Management Console.
- Click on “Subnets” from the left-hand menu.
- Create a new private subnet within the same VPC where the RDS instances are located. Ensure that this subnet is not associated with a route table that has an internet gateway.
-
Modify RDS Instance:
- Go back to the RDS service in the AWS Management Console.
- Select the RDS instance that you want to move to the private subnet.
- Click on the “Modify” button to change the subnet group.
- In the “Network & Security” section, select the newly created private subnet from the “Subnet group” dropdown.
- Click “Continue” and then “Modify DB Instance” to apply the changes.
-
Verify the Changes:
- Wait for the modification process to complete. This may take a few minutes.
- Once the modification is complete, verify that the RDS instance is now running in the private subnet.
-
Update Security Group Rules:
- Update the security group associated with the RDS instance to allow necessary inbound and outbound traffic from other resources within the VPC.
Using CLI
Using CLI
To remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using AWS CLI, follow these steps:
-
Identify the RDS DB Instances that are provisioned in VPC public subnets:
Run the following AWS CLI command to list all RDS DB Instances in your AWS account:
Identify the RDS DB Instances that are provisioned in VPC public subnets by checking their
DBSubnetGroupandDBSubnetGroup.Subnetsvalues. -
Create a new DB subnet group with private subnets:
Create a new DB subnet group containing only private subnets where you want to move the RDS DB Instances. Replace
subnet-xxxxxxxxxxxxxxwith the IDs of your private subnets. -
Modify the RDS DB Instances to use the new DB subnet group:
Modify each RDS DB Instance to use the newly created DB subnet group. Replace
db-instance-identifierwith the identifier of the RDS DB Instance andprivate-subnet-groupwith the name of the new DB subnet group. -
Verify the changes:
Run the following AWS CLI command to describe the modified RDS DB Instance and ensure that it is now using the new DB subnet group:
Using Python
Using Python
To remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using Python, you can follow these steps:
-
Identify the RDS instances that are provisioned in the public subnets:
-
Modify the RDS instance to remove the public accessibility and move it to a private subnet:
-
Verify that the RDS instance is now in a private subnet: