Ensure That Public Access is Not Given to RDS Instance Rule
This rule ensures that public access is restricted for RDS Instances.
| Rule | Ensure that public access is not given to RDS Instance |
| Framework | cis_v150 |
| Severity | ✔ High |
Rule Details:
The rule "cis_v150" focuses on ensuring that public access is not given to RDS (Relational Database Service) instances. RDS instances are managed database services provided by Amazon Web Services (AWS) that allow users to store and retrieve data efficiently. Limiting public access to these instances helps maintain data security and prevents unauthorized access or data breaches.
Description:
Public access to RDS instances can pose significant security risks as it allows anyone on the internet to connect and interact with the database. To address this, the "cis_v150" rule is implemented to enforce strict control over the accessibility of RDS instances and ensure they are not publicly accessible.
Troubleshooting Steps:
If the RDS instance is found to have public access, the following steps can be taken to troubleshoot and resolve the issue:
- 1.
Identify the RDS instance: Start by identifying the specific RDS instance that has public access enabled.
- 2.
Verify the security group settings: Check the security group associated with the RDS instance. Ensure that the inbound rules of the security group do not have a public or unrestricted IP address (0.0.0.0/0) allowed for inbound connections.
- 3.
Check network ACLs: If your AWS environment is using network Access Control Lists (ACLs), verify that the RDS instance's associated subnet is not allowing public access. Make sure the inbound and outbound rules only permit necessary traffic and do not have any permissive rules.
- 4.
Check subnet routing: Ensure that the subnet associated with the RDS instance is not using an internet gateway (IGW) for routing. IGWs enable public internet connectivity to subnets, so removing the IGW from the routing table of the subnet will prevent public access.
- 5.
Review RDS instance VPC settings: Check the Virtual Private Cloud (VPC) settings for the RDS instance. Ensure that it is not using a public subnet and is instead placed in a private subnet for increased security.
- 6.
Review database instance endpoint: Validate that the endpoint URL of the RDS instance does not resolve to a publicly accessible DNS name. If it does, adjust the DNS configuration or move the RDS instance to a private subnet.
- 7.
Restrict access to specific IP ranges: If external access to the RDS instance is required, restrict it to specific IP ranges (e.g., corporate networks, VPN connections) using security group rules or a VPN tunnel.
Remediation:
To remediate the issue and ensure that public access is not given to the RDS instance, follow these step-by-step instructions:
- 1.
Identify the specific RDS instance that needs to be remediated.
- 2.
Access the AWS Management Console.
- 3.
Navigate to the Amazon RDS service.
- 4.
Click on "Instances" in the left-hand navigation pane.
- 5.
Locate and select the RDS instance that requires remediation.
- 6.
Click on the "Configuration" tab that appears at the bottom of the instance details page.
- 7.
Review the "Connectivity & security" section to verify the current accessibility settings.
- 8.
If the instance's security group allows inbound traffic from any IP address (0.0.0.0/0), perform the following steps to restrict public access:
Click on the "Security groups" link to access the associated security group.
Identify the security group rules that allow inbound access from any IP address.
Modify the security group rules to allow access only from trusted IP ranges or specific subnets that require connectivity.
- 9.
If the RDS instance is using a public subnet, consider moving it to a private subnet:
Access the Amazon Virtual Private Cloud (VPC) service in the AWS Management Console.
Navigate to "Subnets" in the left-hand navigation pane.
Locate and select the subnet associated with the RDS instance.
Modify the subnet's route table to remove the entry that allows public internet access.
- 10.
After modifying the security group rules or moving the RDS instance to a private subnet, confirm that public access has been successfully restricted.
It is important to regularly audit and monitor the security settings of RDS instances to ensure ongoing compliance with the "cis_v150" rule.