Open menu
-->

Publicly Accessible RDS Instances

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Check for any public facing RDS database instances provisioned in your AWS account and restrict unauthorized access in order to minimise security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.

This rule resolution is part of the Cloud Conformity Base Auditing Package

When the VPC security group associated with an RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, SQL injections or DoS/DDoS attacks.

Audit

To determine if your RDS database instances are publicly accessible, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06On the Details tab, next to Endpoint section, hover over the information icon (i) to display the Connection Information box. If the Publicly Accessible flag status is set to Yes and the security group associated with the instance allows access to everyone, i.e. 0.0.0.0/0:

If the Publicly Accessible flag status is set to Yes and the security group associated with the instance allows access to everyone

the RDS database instance selected is publicly accessible and prone to security risks.

07 Repeat steps no. 4 – 6 for each RDS instance provisioned in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names, available in the selected AWS region:

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier:

[
    "mysql-production-db"
]

03 Run again describe-db-instances command (OSX/Linux/UNIX) using the PubliclyAccessible parameter as query filter to reveal the database instance Publicly Accessible flag status:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier mysql-production-db
	--query 'DBInstances[*].PubliclyAccessible'

04 The command output should return the Publicly Accessible flag current status (true for enabled, false for disabled):

[
    true
]

05 Run describe-db-instances command (OSX/Linux/UNIX) using the VpcSecurityGroups parameter as query filter to return the security group ID associated with the instance:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier mysql-production-db
	--query 'DBInstances[*].VpcSecurityGroups'

06 The command output should return the VPC security group ID (highlighted):

[
    [
        {
            "Status": "active",
            "VpcSecurityGroupId": "sg-533fcf28"
        }
    ]
]

07 Now that you have the security group ID, run again describe-db-instances command (OSX/Linux/UNIX) using the IpPermissions parameter as query filter to reveal the associated security group inbound rules:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-533fcf28
	--query 'SecurityGroups[*].IpPermissions'

08 The command output should return the inbound (ingress) rules metadata:

[
     [
        {
            "PrefixListIds": [],
            "FromPort": 3306,
            "IpRanges": [
                {
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "ToPort": 3306,
            "IpProtocol": "tcp",
        }
    ]
]

If the Publicly Accessible flag is set to Yes (step no. 4) and the security group associated with the instance is using the 0.0.0.0/0 CIDR/IP range for its inbound rules, the selected RDS database instance is publicly accessible and insecure.

09 Repeat steps no. 1 – 8 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To update your RDS instances connection configuration in order to restrict access, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to update.

05 Click Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: < instance identifier > page, under Network & Security section, check No next to Publicly Accessible to disable the flag and restrict public access.

07 At the bottom of the page, check Apply Immediately to apply the changes immediately.

08 Click Continue.

09 Review the changes and click Modify DB Instance. Once the configuration changes are applied (it should take few minutes), the Publicly Accessible flag will be disabled.

10 Click Instance Actions button from the dashboard top menu and select See Details.

11 Under Security and Network section, next to Security Groups, click on each active security group name to select it for editing.

12 On the VPC Security Groups page, select the Inbound tab from the bottom panel and click the Edit button to edit the selected security group ingress rules.

13 In the Edit inbound rules dialog box, identify any inbound rules which have set the Source to Anywhere (0.0.0.0/0) and update them by using one of the following actions:

  1. To grant access to a certain IP address (e.g. application server instance IP/EIP):
    • Select Custom IP from the Source dropdown list.
    • Enter the IP address CIDR (e.g. 54.76.105.205/32) that you want to authorize in the Source field.
    • Click the Save button to save the changes.
  2. To grant access to an EC2 Security Group (e.g. application server EC2 security group):
    • Select Custom IP from the Source dropdown list.
    • Enter the EC2 security group ID (e.g. sg- aa14e4d1) that you want to authorize in the Source field.
    • Click the Save button to save the changes.

14 Repeat steps no. 4 – 13 for each RDS instance available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names (identifiers), available in the selected AWS region:

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier:

[
    "mysql-production-db"
]

03 Run modify-db-instance command (OSX/Linux/UNIX) to modify the selected RDS instance connection configuration. The following command example disable the Publicly Accessible flag for an RDS instance named mysql-production-db:

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier mysql-production-db
	--no-publicly-accessible
	--apply-immediately

04 The command output should reveal the instance configuration pending values (highlighted):

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "webappdb",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        ... 
        "PendingModifiedValues": {
            PubliclyAccessible": false
        },
  	   ...
        "DbiResourceId": "db-LVM75IJA2YOGQ3FJUNRK7HKFKM",
        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.t2.micro",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "mysql-production-db"
    }
}

05 Run describe-db-instances command (OSX/Linux/UNIX) using the VpcSecurityGroups parameter as query filter to return the VPC security group ID associated with the instance:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier mysql-production-db
	--query 'DBInstances[*].VpcSecurityGroups'

06 The command output should return the VPC security group ID (highlighted):

[
    [
        {
            "Status": "active",
            "VpcSecurityGroupId": "sg-533fcf28"
        }
    ]
]

07 Run revoke-security-group-ingress command (OSX/Linux/UNIX) to revoke the VPC security group inbound rule with the CIDR set to 0.0.0.0/0 that grants access to everyone (no output is returned):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-533fcf28
	--protocol tcp
	--port 3306
	--cidr 0.0.0.0/0

08 Case A: Instance access authorization based on IP/CIDR. Run authorize-security-group-ingress command (OSX/Linux/UNIX) to authorize custom access based on IP/CIDR to the instances associated with the selected VPC security group (no output is returned):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-533fcf28
	--protocol tcp
	--port 3306
	--cidr 54.76.105.205/32

09 Case B: Instance access authorization based on EC2 security group. Run authorize-security-group-ingress command (OSX/Linux/UNIX) to authorize custom access based on existing EC2 security groups (no command output is returned):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-533fcf28
	--protocol tcp
	--port 3306
	--source-group sg-aa14e4d1

10 Repeat steps no. 1 – 9 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

References

Publication date May 5, 2016