More Info:

No AWS RDS database instances should be provisioned inside VPC public subnets in order to protect them from direct exposure to the Internet

Risk Level

High

Address

Security

Compliance Standards

SOC2, HITRUST, GDPR, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of having RDS DB instances provisioned in VPC public subnets in AWS, follow these steps using the AWS Management Console:
  1. Identify RDS Instances in Public Subnets:
    • Go to the AWS Management Console and navigate to the RDS service.
    • Click on “Databases” from the left-hand menu to view all your RDS instances.
    • Identify the RDS instances that are provisioned in VPC public subnets.
  2. Create New Private Subnet:
    • Go to the VPC service in the AWS Management Console.
    • Click on “Subnets” from the left-hand menu.
    • Create a new private subnet within the same VPC where the RDS instances are located. Ensure that this subnet is not associated with a route table that has an internet gateway.
  3. Modify RDS Instance:
    • Go back to the RDS service in the AWS Management Console.
    • Select the RDS instance that you want to move to the private subnet.
    • Click on the “Modify” button to change the subnet group.
    • In the “Network & Security” section, select the newly created private subnet from the “Subnet group” dropdown.
    • Click “Continue” and then “Modify DB Instance” to apply the changes.
  4. Verify the Changes:
    • Wait for the modification process to complete. This may take a few minutes.
    • Once the modification is complete, verify that the RDS instance is now running in the private subnet.
  5. Update Security Group Rules:
    • Update the security group associated with the RDS instance to allow necessary inbound and outbound traffic from other resources within the VPC.
By following these steps, you can remediate the misconfiguration of having RDS DB instances provisioned in VPC public subnets in AWS and ensure that they are running in private subnets for improved security.

To remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using AWS CLI, follow these steps:
  1. Identify the RDS DB Instances that are provisioned in VPC public subnets: Run the following AWS CLI command to list all RDS DB Instances in your AWS account: 
    aws rds describe-db-instances
    Identify the RDS DB Instances that are provisioned in VPC public subnets by checking their DBSubnetGroup and DBSubnetGroup.Subnets values.
  2. Create a new DB subnet group with private subnets: Create a new DB subnet group containing only private subnets where you want to move the RDS DB Instances. Replace subnet-xxxxxxxxxxxxxx with the IDs of your private subnets. 
    aws rds create-db-subnet-group --db-subnet-group-name private-subnet-group --db-subnet-group-description "DB Subnet Group with Private Subnets" --subnet-ids subnet-xxxxxxxxxxxxxx subnet-xxxxxxxxxxxxxx
  3. Modify the RDS DB Instances to use the new DB subnet group: Modify each RDS DB Instance to use the newly created DB subnet group. Replace db-instance-identifier with the identifier of the RDS DB Instance and private-subnet-group with the name of the new DB subnet group. 
    aws rds modify-db-instance --db-instance-identifier db-instance-identifier --db-subnet-group-name private-subnet-group
  4. Verify the changes: Run the following AWS CLI command to describe the modified RDS DB Instance and ensure that it is now using the new DB subnet group: 
    aws rds describe-db-instances --db-instance-identifier db-instance-identifier
By following these steps, you can remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using AWS CLI.
To remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using Python, you can follow these steps:
  1. Identify the RDS instances that are provisioned in the public subnets: 
    import boto3

client = boto3.client('rds')

response = client.describe_db_instances()

for db_instance in response['DBInstances']:
    db_instance_id = db_instance['DBInstanceIdentifier']
    db_subnet_group = db_instance['DBSubnetGroup']['VpcId']
    db_instance_public = db_instance['PubliclyAccessible']

    if db_instance_public and db_subnet_group:
        print(f"RDS instance {db_instance_id} is provisioned in a public subnet.")
  2. Modify the RDS instance to remove the public accessibility and move it to a private subnet: 
    db_instance_id = 'your_rds_instance_id'

response = client.modify_db_instance(
    DBInstanceIdentifier=db_instance_id,
    PubliclyAccessible=False,
    ApplyImmediately=True
)

print(f"RDS instance {db_instance_id} has been modified to not be publicly accessible.")
  3. Verify that the RDS instance is now in a private subnet: 
    response = client.describe_db_instances(DBInstanceIdentifier=db_instance_id)

db_instance_public = response['DBInstances'][0]['PubliclyAccessible']
db_subnet_group = response['DBInstances'][0]['DBSubnetGroup']['VpcId']

if not db_instance_public and db_subnet_group:
    print(f"RDS instance {db_instance_id} is now in a private subnet.")
By following these steps and running the Python script, you can remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS.

Additional Reading: