Ensure there is an AWS security group created and configured for the data tier that grants inbound access from the app-tier security group on explicit TCP ports such as 3306 (MySQL, MariaDB and Amazon Aurora), 1433 (MSSQL), 1521 (Oracle SQL) and 5432 (PostgreSQL), to secure the access to your database instances. This conformity rule assumes that all AWS resources created within your data tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> is the tag name and <data_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the data-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
To protect the database instances within your data tier from unauthorized access, a distinct security group must be created and configured to secure access by allowing traffic for specific database protocols and ports by referencing as source the security group associated with your app-tier.
Note 1: The database type used as example in this conformity rule is MySQL (TCP port 3306), however, depending on your AWS application design, any other database types and ports would apply.
Note 2: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the data tier.
Audit
To determine if there is a security group created and configured particularly for the data tier, perform the following actions:
Remediation / Resolution
To create a compliant Amazon data-tier security group and configure it to allow inbound traffic from the app-tier security group on explicit port (in this case TCP port 3306), perform the following:
References
- AWS Documentation
- Security Groups for Your VPC
- Amazon EC2 Security Groups for Linux Instances
- Modifying an Amazon RDS DB Instance and Using the Apply Immediately Parameter
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- describe-tags
- create-security-group
- authorize-security-group-ingress
- create-tags
- rds
- describe-db-instances
- modify-db-instance
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Create and Configure Data-Tier Security Group
Risk level: Medium