AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
RDS Instances Should Not Be Publicly Accessible
More Info:
RDS instances should not be launched into the public cloud. Unless there is a specific business requirement, RDS instances should not have a public endpoint and should be accessed from within a VPC only.
Risk Level
High
Address
Security
Compliance Standards
NIST
Triage and Remediation
Remediation
To remediate the misconfiguration of RDS instances being publicly accessible in AWS, you can follow these steps using the AWS Management Console:
-
Log in to the AWS Management Console: Go to https://aws.amazon.com/ and log in to your AWS account.
-
Navigate to the RDS Dashboard: Click on the “Services” dropdown menu at the top of the page, select “RDS” under the Database section.
-
Select the RDS Instance: From the list of RDS instances, select the instance that you want to modify the security group for by clicking on its identifier.
-
Modify the Security Group: In the RDS instance details page, scroll down to the “Security group rules” section. Click on the security group name listed there.
-
Edit Inbound Rules: In the security group’s “Inbound rules” tab, you will see the current rules allowing inbound traffic to the RDS instance. To make the RDS instance not publicly accessible, you need to remove the rule that allows inbound traffic from any source (0.0.0.0/0).
-
Delete the Public Access Rule: Find the rule that allows inbound traffic from 0.0.0.0/0 (or any IP address range), select it, and click on the “Delete” or “Remove” button to remove this rule.
-
Add Specific IP Addresses (Optional): If you still need to access the RDS instance from specific IP addresses or ranges, you can add new inbound rules to allow traffic only from those specific sources.
-
Save Changes: After removing the public access rule and adding specific IP addresses if necessary, click on the “Save rules” or “Apply changes” button to apply the new security group rules.
By following these steps, you have successfully remediated the misconfiguration of making RDS instances publicly accessible in AWS by updating the security group rules to restrict access to specific IP addresses or ranges.
To remediate the issue of RDS instances being publicly accessible in AWS using AWS CLI, follow these steps:
-
Identify the security group associated with the RDS instance: Run the following AWS CLI command to get the details of the security group associated with the RDS instance:
aws rds describe-db-instances --db-instance-identifier <your-db-instance-id>Note down the Security Group ID associated with the RDS instance.
-
Update the inbound rules of the security group to restrict access: Run the following AWS CLI command to revoke the ingress rule that allows public access to the RDS instance. Replace
<your-security-group-id>and<your-ip-cidr>with the actual values.aws ec2 revoke-security-group-ingress --group-id <your-security-group-id> --protocol tcp --port 3306 --cidr <your-ip-cidr>This command will remove the ingress rule that allows access to port 3306 (MySQL) from the specified IP CIDR range.
-
Verify the changes: Run the following AWS CLI command to describe the inbound rules of the security group and confirm that the public access rule has been revoked:
aws ec2 describe-security-groups --group-ids <your-security-group-id>
By following these steps, you can remediate the misconfiguration of RDS instances being publicly accessible in AWS by updating the security group’s inbound rules using AWS CLI.
To remediate the misconfiguration of RDS instances being publicly accessible in AWS using Python, you can follow these steps:
- Import the necessary libraries:
import boto3
- Initialize the AWS client for RDS:
rds_client = boto3.client('rds')
- Get a list of all RDS instances:
response = rds_client.describe_db_instances()
- Iterate through each RDS instance and check if it is publicly accessible. If it is, modify the security group to remove public access:
for db_instance in response['DBInstances']:
db_instance_identifier = db_instance['DBInstanceIdentifier']
db_instance_publicly_accessible = db_instance['PubliclyAccessible']
if db_instance_publicly_accessible:
response_sg = rds_client.describe_db_security_groups(DBInstanceIdentifier=db_instance_identifier)
security_group_id = response_sg['DBSecurityGroups'][0]['DBSecurityGroupId']
# Revoke the ingress rule that allows public access
rds_client.revoke_db_security_group_ingress(
DBSecurityGroupName=security_group_id,
CIDRIP='0.0.0.0/0'
)
print(f"Public access revoked for RDS instance: {db_instance_identifier}")
- Run the script to remediate the misconfiguration.
Please ensure that you have the necessary permissions to modify RDS instances and security groups in your AWS account before running this script.