Skip to main content

Triage and Remediation

Remediation

Using Console

To remediate the issue of RDS instances being publicly accessible in AWS, follow these steps using the AWS Management Console:
  1. Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in with your credentials.
  2. Navigate to RDS Service: Click on the “Services” dropdown menu at the top of the page, select “RDS” under the Database category.
  3. Select the RDS Instance: From the list of RDS instances, select the instance that you want to modify to make it not publicly accessible.
  4. Modify the Security Group: In the details page of the selected RDS instance, scroll down to the “Security” section and click on the link for the associated Security Group.
  5. Edit Inbound Rules: In the Security Group page, click on the “Inbound rules” tab and locate the rule that allows inbound traffic from any IP address (0.0.0.0/0) on the database port (usually 3306 for MySQL, 5432 for PostgreSQL, etc.).
  6. Remove the Public Access Rule: Select the rule that allows public access (0.0.0.0/0) and click on the “Actions” dropdown menu. Then, click on “Delete rule”.
  7. Add a Rule for Specific IP: If you still need to access the RDS instance from specific IP addresses, you can add a new inbound rule that allows traffic only from those IP addresses. Click on the “Add rule” button, select the type of rule (e.g., MySQL/Aurora, PostgreSQL), and specify the IP range or specific IPs that should be allowed to access the RDS instance.
  8. Review and Apply Changes: Review the changes you have made to the Security Group and ensure that only necessary IP addresses have access to the RDS instance. Once you are satisfied, click on the “Save rules” button to apply the changes.
  9. Verify Public Accessibility: Finally, go back to the RDS instance details page and verify that the instance is no longer publicly accessible by checking the “Publicly Accessible” attribute. It should be set to “No”.
By following these steps, you have successfully remediated the issue of RDS instances being publicly accessible in AWS.

To remediate the misconfiguration of having publicly accessible RDS instances in AWS using AWS CLI, follow these steps:
  1. List all the RDS instances that are publicly accessible:
aws rds describe-db-instances --query "DBInstances[?PubliclyAccessible=='true'].DBInstanceIdentifier" --output text
  1. For each publicly accessible RDS instance, modify the instance to make it not publicly accessible:
aws rds modify-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --no-publicly-accessible
Replace YOUR_DB_INSTANCE_IDENTIFIER with the actual identifier of the RDS instance.
  1. Verify that the RDS instance is no longer publicly accessible:
aws rds describe-db-instances --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --query "DBInstances[0].PubliclyAccessible"
Replace YOUR_DB_INSTANCE_IDENTIFIER with the actual identifier of the RDS instance.By following these steps, you can remediate the misconfiguration of having publicly accessible RDS instances in AWS using the AWS CLI.
To remediate the misconfiguration of having publicly accessible RDS instances in AWS using Python, you can follow these steps:
  1. Install the boto3 library if you haven’t already. You can install it using pip: 
    pip install boto3
  2. Use the following Python script to update the RDS instance to make it not publicly accessible. Replace YOUR_RDS_INSTANCE_IDENTIFIER with the identifier of your RDS instance: 
import boto3

# Initialize the RDS client
client = boto3.client('rds')

# Update the RDS instance to make it not publicly accessible
response = client.modify_db_instance(
    DBInstanceIdentifier='YOUR_RDS_INSTANCE_IDENTIFIER',
    PubliclyAccessible=False
)

print("RDS instance updated successfully. It is no longer publicly accessible.")
  1. Run the Python script to update the RDS instance and make it not publicly accessible.
After running this script, your RDS instance will no longer be publicly accessible, thus remediating the misconfiguration.