Ensure there is an AWS security group created and configured for the data tier that grants inbound access from the app-tier security group on explicit TCP ports such as 3306 (MySQL, MariaDB and Amazon Aurora), 1433 (MSSQL), 1521 (Oracle SQL) and 5432 (PostgreSQL), to secure the access to your database instances. This conformity rule assumes that all AWS resources created within your data tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> is the tag name and <data_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the data-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
To protect the database instances within your data tier from unauthorized access, a distinct security group must be created and configured to secure access by allowing traffic for specific database protocols and ports by referencing as source the security group associated with your app-tier.
Note 1: The database type used as example in this conformity rule is MySQL (TCP port 3306), however, depending on your AWS application design, any other database types and ports would apply.
Note 2: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the data tier.
To determine if there is a security group created and configured particularly for the data tier, perform the following actions:
To create a compliant Amazon data-tier security group and configure it to allow inbound traffic from the app-tier security group on explicit port (in this case TCP port 3306), perform the following: