AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
RDS DB Instances Should Not Be Provisioned in VPC Public Subnets
More Info:
No AWS RDS database instances should be provisioned inside VPC public subnets in order to protect them from direct exposure to the Internet
Risk Level
High
Address
Security
Compliance Standards
SOC2, HITRUST, GDPR, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the misconfiguration of having RDS DB instances provisioned in VPC public subnets in AWS, follow these steps using the AWS Management Console:
-
Identify RDS Instances in Public Subnets:
- Go to the AWS Management Console and navigate to the RDS service.
- Click on “Databases” from the left-hand menu to view all your RDS instances.
- Identify the RDS instances that are provisioned in VPC public subnets.
-
Create New Private Subnet:
- Go to the VPC service in the AWS Management Console.
- Click on “Subnets” from the left-hand menu.
- Create a new private subnet within the same VPC where the RDS instances are located. Ensure that this subnet is not associated with a route table that has an internet gateway.
-
Modify RDS Instance:
- Go back to the RDS service in the AWS Management Console.
- Select the RDS instance that you want to move to the private subnet.
- Click on the “Modify” button to change the subnet group.
- In the “Network & Security” section, select the newly created private subnet from the “Subnet group” dropdown.
- Click “Continue” and then “Modify DB Instance” to apply the changes.
-
Verify the Changes:
- Wait for the modification process to complete. This may take a few minutes.
- Once the modification is complete, verify that the RDS instance is now running in the private subnet.
-
Update Security Group Rules:
- Update the security group associated with the RDS instance to allow necessary inbound and outbound traffic from other resources within the VPC.
By following these steps, you can remediate the misconfiguration of having RDS DB instances provisioned in VPC public subnets in AWS and ensure that they are running in private subnets for improved security.
To remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using AWS CLI, follow these steps:
-
Identify the RDS DB Instances that are provisioned in VPC public subnets:
Run the following AWS CLI command to list all RDS DB Instances in your AWS account:
aws rds describe-db-instancesIdentify the RDS DB Instances that are provisioned in VPC public subnets by checking their
DBSubnetGroupandDBSubnetGroup.Subnetsvalues. -
Create a new DB subnet group with private subnets:
Create a new DB subnet group containing only private subnets where you want to move the RDS DB Instances. Replace
subnet-xxxxxxxxxxxxxxwith the IDs of your private subnets.aws rds create-db-subnet-group --db-subnet-group-name private-subnet-group --db-subnet-group-description "DB Subnet Group with Private Subnets" --subnet-ids subnet-xxxxxxxxxxxxxx subnet-xxxxxxxxxxxxxx -
Modify the RDS DB Instances to use the new DB subnet group:
Modify each RDS DB Instance to use the newly created DB subnet group. Replace
db-instance-identifierwith the identifier of the RDS DB Instance andprivate-subnet-groupwith the name of the new DB subnet group.aws rds modify-db-instance --db-instance-identifier db-instance-identifier --db-subnet-group-name private-subnet-group -
Verify the changes:
Run the following AWS CLI command to describe the modified RDS DB Instance and ensure that it is now using the new DB subnet group:
aws rds describe-db-instances --db-instance-identifier db-instance-identifier
By following these steps, you can remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using AWS CLI.
To remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using Python, you can follow these steps:
-
Identify the RDS instances that are provisioned in the public subnets:
import boto3 client = boto3.client('rds') response = client.describe_db_instances() for db_instance in response['DBInstances']: db_instance_id = db_instance['DBInstanceIdentifier'] db_subnet_group = db_instance['DBSubnetGroup']['VpcId'] db_instance_public = db_instance['PubliclyAccessible'] if db_instance_public and db_subnet_group: print(f"RDS instance {db_instance_id} is provisioned in a public subnet.") -
Modify the RDS instance to remove the public accessibility and move it to a private subnet:
db_instance_id = 'your_rds_instance_id' response = client.modify_db_instance( DBInstanceIdentifier=db_instance_id, PubliclyAccessible=False, ApplyImmediately=True ) print(f"RDS instance {db_instance_id} has been modified to not be publicly accessible.") -
Verify that the RDS instance is now in a private subnet:
response = client.describe_db_instances(DBInstanceIdentifier=db_instance_id) db_instance_public = response['DBInstances'][0]['PubliclyAccessible'] db_subnet_group = response['DBInstances'][0]['DBSubnetGroup']['VpcId'] if not db_instance_public and db_subnet_group: print(f"RDS instance {db_instance_id} is now in a private subnet.")
By following these steps and running the Python script, you can remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS.