More Info:
RDS database instances provisioned in your AWS account should not be publicly accessible and should instead restrict unauthorized access in order to minimise security risks.Risk Level
HighAddress
SecurityCompliance Standards
HIPAA, PCIDSS, NIST, SOC2, HITRUST, AWSWAF, GDPR, NISTCSF, FedRAMPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the issue of RDS instances being publicly accessible in AWS, follow these steps using the AWS Management Console:
- Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in with your credentials.
- Navigate to RDS Service: Click on the “Services” dropdown menu at the top of the page, select “RDS” under the Database category.
- Select the RDS Instance: From the list of RDS instances, select the instance that you want to modify to make it not publicly accessible.
- Modify the Security Group: In the details page of the selected RDS instance, scroll down to the “Security” section and click on the link for the associated Security Group.
- Edit Inbound Rules: In the Security Group page, click on the “Inbound rules” tab and locate the rule that allows inbound traffic from any IP address (0.0.0.0/0) on the database port (usually 3306 for MySQL, 5432 for PostgreSQL, etc.).
- Remove the Public Access Rule: Select the rule that allows public access (0.0.0.0/0) and click on the “Actions” dropdown menu. Then, click on “Delete rule”.
- Add a Rule for Specific IP: If you still need to access the RDS instance from specific IP addresses, you can add a new inbound rule that allows traffic only from those IP addresses. Click on the “Add rule” button, select the type of rule (e.g., MySQL/Aurora, PostgreSQL), and specify the IP range or specific IPs that should be allowed to access the RDS instance.
- Review and Apply Changes: Review the changes you have made to the Security Group and ensure that only necessary IP addresses have access to the RDS instance. Once you are satisfied, click on the “Save rules” button to apply the changes.
- Verify Public Accessibility: Finally, go back to the RDS instance details page and verify that the instance is no longer publicly accessible by checking the “Publicly Accessible” attribute. It should be set to “No”.
Using CLI
Using CLI
To remediate the misconfiguration of having publicly accessible RDS instances in AWS using AWS CLI, follow these steps:Replace Replace
- List all the RDS instances that are publicly accessible:
- For each publicly accessible RDS instance, modify the instance to make it not publicly accessible:
YOUR_DB_INSTANCE_IDENTIFIER with the actual identifier of the RDS instance.- Verify that the RDS instance is no longer publicly accessible:
YOUR_DB_INSTANCE_IDENTIFIER with the actual identifier of the RDS instance.By following these steps, you can remediate the misconfiguration of having publicly accessible RDS instances in AWS using the AWS CLI.Using Python
Using Python
To remediate the misconfiguration of having publicly accessible RDS instances in AWS using Python, you can follow these steps:
-
Install the
boto3library if you haven’t already. You can install it using pip: -
Use the following Python script to update the RDS instance to make it not publicly accessible. Replace
YOUR_RDS_INSTANCE_IDENTIFIERwith the identifier of your RDS instance:
- Run the Python script to update the RDS instance and make it not publicly accessible.