Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures that RDS DB instances do not allow public access, enhancing security measures.
| Rule | RDS DB instances should prohibit public access |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description
To comply with CISA Cyber Essentials guidelines, RDS (Relational Database Service) DB instances should prohibit public access. This rule ensures that the RDS DB instances are not accessible from the public internet, minimizing the risk of unauthorized access or potential security breaches.
Remediation Steps
1. Identify RDS DB instances with public access
- List all the RDS DB instances in your AWS account using the AWS CLI or AWS Management Console.
- Check the security group(s) associated with each DB instance to see if they allow inbound connections from the internet (e.g., 0.0.0.0/0 for source IP).
2. Update security group rules
- For each DB instance allowing public access, modify its associated security group(s) to restrict inbound connections to trusted sources only.
- Optionally, you may choose to completely remove the rule allowing public access if it's not required.
3. Test connectivity
- After updating the security group rules, verify that the RDS DB instances can still be accessed by the intended applications or users.
- Connect to the DB instances using authorized credentials and execute test queries to ensure proper functionality.
Troubleshooting Steps (if applicable)
1. Cannot connect to RDS DB instance after updating security group rules
- Ensure that the security group(s) associated with the DB instance allow inbound access from the correct IP ranges or specific source IP addresses.
- Validate that the outbound rules of the security group(s) also permit necessary traffic.
- Check if any Network ACLs (NACLs) associated with the subnet containing the DB instance are blocking the connection.
2. Error: "DB instance is not accessible via the internet"
- Confirm that the DB instance does not have a public IP assigned, which can enable public access.
- Double-check the security group(s) associated with the DB instance to ensure that inbound rules explicitly deny public access.
3. DB instance still accessible from the public internet
- Re-verify that the security group(s) associated with the DB instance have been properly updated with restrictive inbound rules.
- Confirm that the inbound rules neither allow access from 0.0.0.0/0 nor have any conflicting rules that might override the desired restrictions.
Necessary Codes (if applicable)
AWS CLI command to list RDS DB instances:
aws rds describe-db-instancesAWS CLI command to modify security group inbound rules:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --source-security-group <source-security-group-id>AWS CLI command to remove security group inbound rule:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --cidr <source-ip-or-range>
Remediation Guide
- 1.
List all RDS DB instances in your AWS account:
- Use the AWS CLI command
to obtain a list of all RDS DB instances and their details.aws rds describe-db-instances
- 2.
Identify DB instances allowing public access:
- Analyze the output from the previous step and identify DB instances with public access.
- 3.
Modify security group(s) associated with each DB instance:
- For each DB instance allowing public access, use the AWS CLI command
to update the associated security group(s) by adding restrictive inbound rules. Specify the appropriate security group ID, protocol, port, and the source security group (trusted sources) allowed to access the DB instance.aws ec2 authorize-security-group-ingress
Example command:
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 5432 --source-security-group sg-98765432Note: Repeat this step for all DB instances allowing public access.
- 4.
Test connectivity to the DB instances:
- After updating the security group rules, verify that the DB instances can still be accessed by the intended applications or users.
- Connect to each DB instance from the permitted sources using authorized credentials.
- Execute test queries or perform necessary actions to ensure the expected functionality is maintained.
- 5.
Repeat the above steps for any other DB instances with public access.
- If multiple DB instances have public access, repeat steps 3 and 4 for each instance.
- 6.
Review and monitor regularly:
- Periodically review the security group rules associated with the RDS DB instances to ensure that public access remains restricted.
- Monitor access logs and investigate any unauthorized or suspicious activities related to the DB instances.
By following these steps, you can mitigate the risk of public access to your RDS DB instances and align with CISA Cyber Essentials guidelines.