Open menu
-->

Aurora Database Instance Accessibility

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: Medium (should be achieved)

Ensure that all the database instances within your Amazon Aurora clusters have the same accessibility (either public or private) in order to follow AWS best practices.

It is highly recommended to have all the database instances within an AWS Aurora cluster as either publicly or privately accessible as in case of a failover, an instance might go from publicly accessible to privately accessible and obstruct the connectivity to the database cluster.

Audit

To identify any AWS Aurora clusters that have both private and public database instances, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Clusters.

04 Choose the AWS Aurora cluster that you want to examine and click on its Show or Hide Item Details button:

Show or Hide Item Details

05 Within DB Cluster Members section, perform the following actions:

  1. Click on the writer database instance name to access its configuration page. Under Security and Network section, check the Publicly Accessible attribute value to determine whether the writer instance is publicly accessible or not. If the attribute value is Yes, the selected database instance is publicly accessible. If the value is No, the instance is not publicly accessible.
  2. Click on the reader database instance name to access its configuration page. In the Security and Network section, check the Publicly Accessible attribute value to determine whether the reader instance is publicly accessible (i.e. attribute value set to Yes) or not (i.e. value set to No).
  3. If the database instances verified at step a. and b. have different values for the Publicly Accessible attribute, the instances within the selected Amazon Aurora database cluster does not have the same accessibility, therefore in case of failover, when the healthy instance is promoted as primary, the connectivity to the cluster will be lost.

06 Repeat steps no. 5 – 7 to verify the instance accessibility settings for other AWS Aurora database clusters available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) using custom query filters to list the names (identifiers) of all AWS Aurora database clusters available within the selected AWS region:

aws rds describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested cluster identifiers:

-----------------------------
|    DescribeDBClusters     |
+---------------------------+
|  cc-aurora-mysql-cluster  |
|  cc-prod-aurora-cluster   |
+---------------------------+

03 Execute describe-db-clusters command (OSX/Linux/UNIX) using custom filtering to list the names of the database instances available within the selected Aurora cluster:

aws rds describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-aurora-mysql-cluster
	--query 'DBClusters[*].DBClusterMembers[*].DBInstanceIdentifier[]'

04 The command output should return a list with the requested instance identifiers (names):

[
    "cc-aurora-mysql",
    "cc-aurora-mysql-us-east-1"
]

05 To reveal the Publicly Accessible attribute value for each database instance provisioned within the cluster, perform the following:

  1. Run describe-db-instances command (OSX/Linux/UNIX) using the name of the writer database instance as identifier to expose the accessibility status for this instance:
    aws rds describe-db-instances
    	--region us-east-1
    	--db-instance-identifier cc-aurora-mysql
    	--query 'DBInstances[*].PubliclyAccessible'
    
  2. The command output should return the writer database instance accessibility flag (true for publicly accessible, false for privately accessible):
    [
        true
    ]
    
  3. Run again describe-db-instances command (OSX/Linux/UNIX) using the name of the reader database instance as identifier to expose the accessibility status for the reader instance:
    aws rds describe-db-instances
    	--region us-east-1
    	--db-instance-identifier cc-aurora-mysql-us-east-1
    	--query 'DBInstances[*].PubliclyAccessible'
    
  4. The command output should return the reader database instance accessibility flag (true for public, false for private):
    [
        false
    ]
    

06 If the database instances (writer and reader) verified at step no. 5 have different values for the Publicly Accessible attribute, the selected AWS Aurora database cluster instances does not have the same accessibility, therefore the connectivity to the cluster can be lost once the failover process is complete.

07 Repeat steps no. 3 – 6 to verify the instance accessibility settings for other AWS Aurora database clusters available in the current region.

08 Repeat steps no. 1 – 7 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To ensure that the database instances within your Aurora clusters have the same accessibility (either public or private), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Instances.

04 Select the database instance that you want to reconfigure (in this case the reader instance which is not publicly accessible).

05 Click Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance identifier> page, under Network & Security section, check Yes next to Publicly Accessible to enable public database access and make the instance publicly accessible.

07 At the bottom of the page, check Apply Immediately to apply the changes immediately.

08 Click Continue to access the review page.

09 Review the changes and click Modify DB Instance. Once the configuration changes are applied (it should take few minutes), the Publicly Accessible status should be changed to Yes.

10 Repeat steps no. 4 – 9 to reconfigure database instances for other AWS Aurora clusters within the current region.

11 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) using the name of the instance (in this case the reader instance) that you want to reconfigure as identifier, to change its accessibility setting to Yes (publicly accessible) using the --publicly-accessible parameter (if otherwise required, to make the instance privately accessible use the --no-publicly-accessible parameter):

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier cc-aurora-mysql-us-east-1
	--publicly-accessible
	--apply-immediately

02 The command output should return the metadata for the modified database instance:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MonitoringInterval": 60,
        "LicenseModel": "general-public-license",
        "MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role",
        "AutoMinorVersionUpgrade": true,
        "PreferredBackupWindow": "07:53-08:23",
        "ReadReplicaDBInstanceIdentifiers": [],
        "AllocatedStorage": 1,
        "DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:cc-aurora-mysql-us-east-1",
        "BackupRetentionPeriod": 1,
        "DBName": "cc_aurora_prod_db",

        ...

        "DBInstanceStatus": "available",
        "IAMDatabaseAuthenticationEnabled": false,
        "EngineVersion": "5.6.10a",
        "AvailabilityZone": "us-east-1",
        "DomainMemberships": [],
        "DBClusterIdentifier": "cc-aurora-mysql-cluster",
        "StorageType": "aurora",
        "DbiResourceId": "db-GXUPH2YHPMVNWFG9IK75CBVYKW",
        "CACertificateIdentifier": "rds-ca-2015",
        "DBInstanceClass": "db.r3.large",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "cc-aurora-mysql-us-east-1"
    }
}

03 Repeat step no. 1 and 2 to reconfigure database instances for other AWS Aurora clusters within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

Publication date 2017-13-09