Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures that RDS DB instances do not allow public access, maintaining security standards.
| Rule | RDS DB instances should prohibit public access |
| Framework | AWS Audit Manager Control Tower Guardrails |
| Severity | ✔ High |
RDS DB Instances Should Prohibit Public Access for AWS Audit Manager Control Tower Guardrails
Ensuring that RDS DB instances prohibit public access is crucial for the security of your data. AWS Audit Manager automates evidence collection for audits, while AWS Control Tower Guardrails are high-level rules that provide governance for AWS environments.
Description of the Rule
Publicly accessible Amazon Relational Database Service (RDS) instances can expose sensitive information and are potentially vulnerable to various types of security threats. Therefore, it's paramount to ensure that such instances are not publicly accessible, conforming to AWS Control Tower security guardrails.
The specific rule for this policy dictates that every RDS DB instance must be configured to prevent access from public networks. In other words, the
PubliclyAccessiblefalseTroubleshooting Steps
If you discover that an RDS instance is publicly accessible, you can follow these steps to address the issue.
1. Identify the Publicly Accessible RDS Instances
You can identify publicly accessible RDS instances using the AWS Management Console, AWS Command Line Interface (CLI), or AWS APIs.
Using AWS CLI:
aws rds describe-db-instances \ --query 'DBInstances[*].[DBInstanceIdentifier,PubliclyAccessible]' \ --output text
Check for instances that have
True2. Modify the RDS Instance to Remove Public Access
Once you've identified the publicly accessible RDS instances, you can modify them to disable public access.
Using AWS CLI:
aws rds modify-db-instance \ --db-instance-identifier <your-db-instance-identifier> \ --no-publicly-accessible \ --apply-immediately
Replace
<your-db-instance-identifier>3. Verify the Changes
After applying the changes, you should verify that the
PubliclyAccessiblefalseUsing AWS CLI:
aws rds describe-db-instances \ --db-instance-identifier <your-db-instance-identifier> \ --query 'DBInstances[*].PubliclyAccessible'
Confirm that the output is
falseRemediation Step by Step Guide
To remediate the public accessibility of an RDS DB instance, follow these steps:
Step 1: Modify the Instance
Use the AWS CLI to modify the instance as demonstrated above.
Step 2: Implement the Changes
After modifying the RDS instance settings to disable public access, ensure to apply the changes immediately or during the next maintenance window, depending on your application's tolerance for potential disruptions.
Step 3: Monitor and Audit
Consistently monitor and audit your RDS instances to ensure compliance. Set up AWS CloudTrail and AWS Config to keep track of changes and to automate compliance checks.
Step 4: Update IAM Policies (Optional)
Ensure your AWS Identity and Access Management (IAM) policies reflect the need to restrict creating publicly accessible RDS instances. Attach the following policy to applicable IAM roles or users:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "rds:CreateDBInstance",
"Resource": "*",
"Condition": {
"StringEquals": {
"rds:PubliclyAccessible": "true"
}
}
}
]
}
This IAM policy prevents the
rds:CreateDBInstanceBy enforcing this rule and setting IAM policies correctly, you can significantly reduce the attack surface of your AWS environment, aligning it with AWS Audit Manager Control Tower Guardrails' best practices for security and compliance.