Rule: RDS Instances Should Be Deployed in a VPC
Ensure all RDS instances are deployed within a Virtual Private Cloud (VPC) for enhanced security and network isolation.
| Rule | RDS instances should be deployed in a VPC |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description
The rule states that RDS instances should be deployed within a Virtual Private Cloud (VPC) in order to adhere to the AWS Foundational Security Best Practices. This ensures that the database instances are protected within a private network and reduces the risk of unauthorized access.
Troubleshooting Steps
If you encounter any issues while deploying RDS instances within a VPC, consider the following troubleshooting steps:
- 1.
Verify VPC configuration: Ensure that the VPC is properly configured with subnets, route tables, and security groups. Cross-check the VPC settings against the AWS documentation to ensure accuracy.
- 2.
Check internet connectivity: Confirm that the VPC has proper internet connectivity by verifying the configuration of the internet gateway and the route table associated with the subnets. Make sure the RDS instances have access to the internet, if required.
- 3.
Verify VPC peering or VPN connection if applicable: If the RDS instances need to communicate with resources in other VPCs or on-premises networks, ensure that VPC peering or a VPN connection is properly established.
- 4.
DNS resolution within the VPC: Confirm that DNS resolution is functioning correctly within the VPC. Check the DNS settings in the VPC configuration and ensure that they align with your requirements.
Necessary Codes
No specific codes are required for this rule. However, certain AWS CLI commands may be helpful for monitoring and managing RDS instances within a VPC.
Remediation Steps
To deploy RDS instances within a VPC, follow the step-by-step guide below:
- 1.
Create a VPC: Navigate to the AWS Management Console, select the VPC service, and choose "Create VPC." Provide the necessary details such as IP range, subnet, and route table settings.
- 2.
Configure subnets: Within the VPC, create appropriate subnets for your RDS instances. Consider creating public and private subnets based on your requirements. Public subnets have internet connectivity, while private subnets do not.
- 3.
Set up security groups: Create security groups to control inbound and outbound traffic for your RDS instances. Define rules for allowing access only from trusted sources and restricting unnecessary ports.
- 4.
Launch RDS instances: In the RDS service console, choose "Create database." Select the desired database engine, specify the VPC and subnet, and configure other RDS settings according to your needs.
- 5.
Configure database access: Define the appropriate database username, password, and access permissions for the RDS instance. Grant access to trusted entities or IAM roles within the VPC.
- 6.
Validate connectivity: Ensure that the RDS instance can be reached from resources within the VPC. Test the connection using appropriate tools or by connecting an EC2 instance within the same VPC.
By following these steps, you can successfully deploy RDS instances within a VPC, adhering to the AWS Foundational Security Best Practices.