Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures that RDS DB instances do not allow public access, maintaining security standards.
| Rule | RDS DB instances should prohibit public access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
RDS DB Instances Should Prohibit Public Access for FedRAMP Low Revision 4
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP Low Impact Level baseline includes a set of security controls for systems that handle low-risk and low-impact data.
One of the requirements for systems seeking FedRAMP Low authorization is to prohibit unnecessary public access to database instances. This rule helps ensure that sensitive information is not inadvertently exposed to the public internet, reducing the chances of unauthorized access and potential attacks.
Detailed Rule Description
When configuring Relational Database Service (RDS) instances on AWS, one must ensure that the instances are not publicly accessible. Publicly accessible RDS instances can be connected to from any computer on the internet, which poses a significant security risk.
Public access to RDS instances should be turned off so that they can only be accessed through private connections, such as an Amazon Virtual Private Cloud (VPC). This setting helps to limit access to RDS databases to the minimum necessary for operations, in compliance with FedRAMP Low Revision 4 security requirements.
Troubleshooting and Remediation Steps
Check the Public Accessibility of RDS Instances
- 1.Log in to the AWS Management Console.
- 2.Navigate to the RDS Dashboard.
- 3.Click on "DB Instances" in the sidebar.
- 4.Review the "Publicly Accessible" column for each instance to identify if it is set to "Yes."
Change the Public Accessibility Setting
If an RDS instance is publicly accessible, follow these steps to change the setting:
- 1.Click on the RDS instance that needs to be modified.
- 2.In the "Connectivity & Security" section, click on "Modify."
- 3.In the "Networking" section, locate "Public accessibility."
- 4.Set "Public accessibility" to "No."
- 5.Scroll down and click on "Continue."
- 6.Choose when to apply the changes (for minimal downtime, during the next maintenance window is recommended).
- 7.Click on "Modify DB Instance."
CLI Command to Update RDS Instance Public Accessibility
To update an RDS instance to be not publicly accessible using AWS CLI, use the following command:
aws rds modify-db-instance \ --db-instance-identifier YourDBInstanceIdentifier \ --no-publicly-accessible \ --apply-immediately
Replace
YourDBInstanceIdentifierRemediation Summary
To ensure that no RDS DB instances offer public access, all instances must be configured to deny public access, supporting FedRAMP compliance. Regularly monitoring and auditing RDS instances for public accessibility should be part of standard operational security procedures.
SEO-Friendly and Accelerating SEO
This detailed guide provides succinct and practical instructions tailored to meet compliance with FedRAMP requirements. It focuses on the steps an organization would need to take to configure RDS instances to prohibit public access as part of FedRAMP Low Revision 4 compliance, which is key security information for businesses operating under government regulations.
The information is designed to be easy to follow and is structured in a step-by-step format with clear headings to ensure good user experience and readability.
It's important to note that while good quality content is SEO-friendly, accelerating SEO involves ongoing efforts beyond the scope of a single informational guide, including keyword optimization, backlink building, and regular updates to content to ensure its relevance and authority in the fast-paced tech domain.