RDS Database Snapshots Should Not Be Public

More Info:

Your AWS Relational Database Service (RDS) database snapshots should not be publicly accessible. This is to avoid exposing your private data.

Risk Level

Critical

Address

Security

Compliance Standards

HIPAA, PCIDSS, NIST, AWSWAF, GDPR

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the issue of RDS Database Snapshots being public in AWS using AWS CLI, follow these steps:

List all the RDS database snapshots that are currently public:

aws rds describe-db-snapshot-attributes --db-snapshot-identifier <your-db-snapshot-identifier> --query "DBSnapshotAttributesResult.DBSnapshotAttributes[?AttributeName=='restore'].AttributeName" --output text

Modify the DB snapshot attribute to make it private:

aws rds modify-db-snapshot-attribute --db-snapshot-identifier <your-db-snapshot-identifier> --attribute-name restore --values-to-add all

Verify that the DB snapshot attribute has been updated successfully:

aws rds describe-db-snapshot-attributes --db-snapshot-identifier <your-db-snapshot-identifier> --query "DBSnapshotAttributesResult.DBSnapshotAttributes[?AttributeName=='restore'].AttributeName" --output text

By following these steps, you can remediate the misconfiguration of RDS Database Snapshots being public in AWS RDS using AWS CLI.

Using Python

To remediate the misconfiguration of having RDS database snapshots public in AWS using Python, you can follow these steps:

Identify the Public Snapshots:
- Use the AWS SDK for Python (Boto3) to list all the RDS database snapshots.
- Filter out the snapshots that are marked as public.
Update Snapshot Permissions:
- For each public snapshot identified, modify the snapshot attribute to make it private.
- Use the modify_db_snapshot_attribute method from the Boto3 RDS client to update the snapshot attribute.

Sample Python Script: Here is a sample Python script that demonstrates how to identify and update public RDS database snapshots to private:

import boto3

# Initialize the RDS client
rds_client = boto3.client('rds')

# List all RDS snapshots
response = rds_client.describe_db_snapshots()

# Iterate through each snapshot
for snapshot in response['DBSnapshots']:
    if snapshot['PubliclyAccessible']:
        # Update the snapshot attribute to make it private
        rds_client.modify_db_snapshot_attribute(
            DBSnapshotIdentifier=snapshot['DBSnapshotIdentifier'],
            AttributeName='restore',
            ValuesToRemove=['all'],
        )
        print(f"Snapshot {snapshot['DBSnapshotIdentifier']} is now private.")

Run the Script:
- Save the script in a file (e.g., remediate_public_snapshots.py) and run it using Python.
- Make sure you have the necessary IAM permissions to modify RDS snapshot attributes.

By following these steps and running the Python script, you can remediate the misconfiguration of having public RDS database snapshots in AWS.

Additional Reading:

https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

RDS Database Snapshots Should Not Be Public

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: