RDS Publicly Accessible
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresCheck for any public facing RDS database instances provisioned in your AWS account and restrict unauthorized access in order to minimise security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When the VPC security group associated with an RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, SQL injections or DoS/DDoS attacks.
To determine if your RDS database instances are publicly accessible, perform the following:
01 Login to the AWS Management Console.
02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.
03 In the navigation panel, under RDS Dashboard, click Instances.
04 Select the RDS instance that you want to examine.
05 Click Instance Actions button from the dashboard top menu and select See Details.
06On the Details tab, next to Endpoint section, hover over the information icon (i) to display the Connection Information box. If the Publicly Accessible flag status is set to Yes and the security group associated with the instance allows access to everyone, i.e. 0.0.0.0/0:
the RDS database instance selected is publicly accessible and prone to security risks.
07 Repeat steps no. 4 – 6 for each RDS instance provisioned in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.
01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names, available in the selected AWS region:
aws rds describe-db-instances --region us-east-1 --query 'DBInstances[*].DBInstanceIdentifier'
02 The command output should return each database instance identifier:
[
"mysql-production-db"
]
03 Run again describe-db-instances command (OSX/Linux/UNIX) using the PubliclyAccessible parameter as query filter to reveal the database instance Publicly Accessible flag status:
aws rds describe-db-instances --region us-east-1 --db-instance-identifier mysql-production-db --query 'DBInstances[*].PubliclyAccessible'
04 The command output should return the Publicly Accessible flag current status (true for enabled, false for disabled):
[
true
]
05 Run describe-db-instances command (OSX/Linux/UNIX) using the VpcSecurityGroups parameter as query filter to return the security group ID associated with the instance:
aws rds describe-db-instances --region us-east-1 --db-instance-identifier mysql-production-db --query 'DBInstances[*].VpcSecurityGroups'
06 The command output should return the VPC security group ID (highlighted):
[
[
{
"Status": "active",
"VpcSecurityGroupId": "sg-533fcf28"
}
]
]
07 Now that you have the security group ID, run again describe-db-instances command (OSX/Linux/UNIX) using the IpPermissions parameter as query filter to reveal the associated security group inbound rules:
aws ec2 describe-security-groups --region us-east-1 --group-ids sg-533fcf28 --query 'SecurityGroups[*].IpPermissions'
08 The command output should return the inbound (ingress) rules metadata:
[
[
{
"PrefixListIds": [],
"FromPort": 3306,
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": 3306,
"IpProtocol": "tcp",
}
]
]
09
Repeat steps no. 1 – 8 for each RDS instance provisioned in the current region. Change the AWS region by using the
--region filter to repeat the process for other regions.
To update your RDS instances connection configuration in order to restrict access, perform the following:
01 Login to the AWS Management Console.
02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.
03 In the navigation panel, under RDS Dashboard, click Instances.
04 Select the RDS instance that you want to update.
05 Click Instance Actions button from the dashboard top menu and select Modify.
06 On the Modify DB Instance: < instance identifier > page, under Network & Security section, check No next to Publicly Accessible to disable the flag and restrict public access.
07 At the bottom of the page, check Apply Immediately to apply the changes immediately.
08 Click Continue.
09 Review the changes and click Modify DB Instance. Once the configuration changes are applied (it should take few minutes), the Publicly Accessible flag will be disabled.
10 Click Instance Actions button from the dashboard top menu and select See Details.
11 Under Security and Network section, next to Security Groups, click on each active security group name to select it for editing.
12 On the VPC Security Groups page, select the Inbound tab from the bottom panel and click the Edit button to edit the selected security group ingress rules.
13 In the Edit inbound rules dialog box, identify any inbound rules which have set the Source to Anywhere (0.0.0.0/0) and update them by using one of the following actions:
14 Repeat steps no. 4 – 13 for each RDS instance available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.
01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names (identifiers), available in the selected AWS region:
aws rds describe-db-instances --region us-east-1 --query 'DBInstances[*].DBInstanceIdentifier'
02 The command output should return each database instance identifier:
[
"mysql-production-db"
]
03 Run modify-db-instance command (OSX/Linux/UNIX) to modify the selected RDS instance connection configuration. The following command example disable the Publicly Accessible flag for an RDS instance named mysql-production-db:
aws rds modify-db-instance --region us-east-1 --db-instance-identifier mysql-production-db --no-publicly-accessible --apply-immediately
04 The command output should reveal the instance configuration pending values (highlighted):
{
"DBInstance": {
"PubliclyAccessible": true,
"MasterUsername": "webappdb",
"MonitoringInterval": 0,
"LicenseModel": "general-public-license",
...
"PendingModifiedValues": {
PubliclyAccessible": false
},
...
"DbiResourceId": "db-LVM75IJA2YOGQ3FJUNRK7HKFKM",
"CACertificateIdentifier": "rds-ca-2015",
"StorageEncrypted": false,
"DBInstanceClass": "db.t2.micro",
"DbInstancePort": 0,
"DBInstanceIdentifier": "mysql-production-db"
}
}
05 Run describe-db-instances command (OSX/Linux/UNIX) using the VpcSecurityGroups parameter as query filter to return the VPC security group ID associated with the instance:
aws rds describe-db-instances --region us-east-1 --db-instance-identifier mysql-production-db --query 'DBInstances[*].VpcSecurityGroups'
06 The command output should return the VPC security group ID (highlighted):
[
[
{
"Status": "active",
"VpcSecurityGroupId": "sg-533fcf28"
}
]
]
07 Run revoke-security-group-ingress command (OSX/Linux/UNIX) to revoke the VPC security group inbound rule with the CIDR set to 0.0.0.0/0 that grants access to everyone (no output is returned):
aws ec2 revoke-security-group-ingress --region us-east-1 --group-id sg-533fcf28 --protocol tcp --port 3306 --cidr 0.0.0.0/0
08 Case A: Instance access authorization based on IP/CIDR. Run authorize-security-group-ingress command (OSX/Linux/UNIX) to authorize custom access based on IP/CIDR to the instances associated with the selected VPC security group (no output is returned):
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-533fcf28 --protocol tcp --port 3306 --cidr 54.76.105.205/32
09 Case B: Instance access authorization based on EC2 security group. Run authorize-security-group-ingress command (OSX/Linux/UNIX) to authorize custom access based on existing EC2 security groups (no command output is returned):
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-533fcf28 --protocol tcp --port 3306 --source-group sg-aa14e4d1
10
Repeat steps no. 1 – 9 for each RDS instance provisioned in the current region. Change the AWS region by using the
--region filter to repeat the process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat