Rds instance not in public subnet remediation

Using Console

Using CLI

To remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using AWS CLI, follow these steps:

Identify the RDS DB Instances that are provisioned in VPC public subnets: Run the following AWS CLI command to list all RDS DB Instances in your AWS account:
```
aws rds describe-db-instances
```
Identify the RDS DB Instances that are provisioned in VPC public subnets by checking their DBSubnetGroup and DBSubnetGroup.Subnets values.
Create a new DB subnet group with private subnets: Create a new DB subnet group containing only private subnets where you want to move the RDS DB Instances. Replace subnet-xxxxxxxxxxxxxx with the IDs of your private subnets.
```
aws rds create-db-subnet-group --db-subnet-group-name private-subnet-group --db-subnet-group-description "DB Subnet Group with Private Subnets" --subnet-ids subnet-xxxxxxxxxxxxxx subnet-xxxxxxxxxxxxxx
```
Modify the RDS DB Instances to use the new DB subnet group: Modify each RDS DB Instance to use the newly created DB subnet group. Replace db-instance-identifier with the identifier of the RDS DB Instance and private-subnet-group with the name of the new DB subnet group.
```
aws rds modify-db-instance --db-instance-identifier db-instance-identifier --db-subnet-group-name private-subnet-group
```
Verify the changes: Run the following AWS CLI command to describe the modified RDS DB Instance and ensure that it is now using the new DB subnet group:
```
aws rds describe-db-instances --db-instance-identifier db-instance-identifier
```

By following these steps, you can remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS using Python, you can follow these steps:

Identify the RDS instances that are provisioned in the public subnets:

import boto3

client = boto3.client('rds')

response = client.describe_db_instances()

for db_instance in response['DBInstances']:
    db_instance_id = db_instance['DBInstanceIdentifier']
    db_subnet_group = db_instance['DBSubnetGroup']['VpcId']
    db_instance_public = db_instance['PubliclyAccessible']

    if db_instance_public and db_subnet_group:
        print(f"RDS instance {db_instance_id} is provisioned in a public subnet.")

Modify the RDS instance to remove the public accessibility and move it to a private subnet:

db_instance_id = 'your_rds_instance_id'

response = client.modify_db_instance(
    DBInstanceIdentifier=db_instance_id,
    PubliclyAccessible=False,
    ApplyImmediately=True
)

print(f"RDS instance {db_instance_id} has been modified to not be publicly accessible.")

Verify that the RDS instance is now in a private subnet:

response = client.describe_db_instances(DBInstanceIdentifier=db_instance_id)

db_instance_public = response['DBInstances'][0]['PubliclyAccessible']
db_subnet_group = response['DBInstances'][0]['DBSubnetGroup']['VpcId']

if not db_instance_public and db_subnet_group:
    print(f"RDS instance {db_instance_id} is now in a private subnet.")

By following these steps and running the Python script, you can remediate the misconfiguration of having RDS DB Instances provisioned in VPC public subnets in AWS.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Rds instance not in public subnet remediation

Triage and Remediation

Remediation