Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures that RDS snapshots do not have public access enabled to maintain data security.
| Rule | RDS snapshots should prohibit public access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
Compliance Rule: Prohibit Public Access to RDS Snapshots for FedRAMP Low Revision 4
Overview
Under FedRAMP Low Revision 4 compliance, Relational Database Service (RDS) snapshots must not have public access. Ensuring that snapshots of databases containing potentially sensitive information are not exposed to the public is essential to protecting the confidentiality and integrity of an organization's data.
Detailed Description
Amazon RDS makes it easy to create backups of databases, which are known as snapshots. These snapshots can be shared with others, including the option to make them publicly accessible. However, for environments that need to comply with FedRAMP Low Revision 4, this feature poses a significant risk. The compliance rule mandates that RDS snapshots should have no public access to safeguard against unauthorized data exposure.
Troubleshooting Steps
- 1.
Check the Public Accessibility Status of RDS Snapshots: Use AWS Management Console or run AWS CLI commands to review the sharing settings of your RDS snapshots.
- 2.
Verify IAM Policies: Ensure that IAM policies associated with the RDS service do not allow actions that could change the snapshot's public accessibility status.
- 3.
Audit and Monitor RDS Snapshot Access: Regularly audit snapshots using AWS Config, or subscribe to Amazon EventBridge for real-time alerts on snapshot configuration changes.
In case you find a snapshot that has been shared publicly, here is how to rectify the situation:
Step-by-Step Remediation Guide
Using the AWS Management Console:
- 1.Log in to your AWS Management Console.
- 2.Navigate to the RDS section.
- 3.Click on "Snapshots" in the left-hand menu.
- 4.Select the snapshot in question.
- 5.Under the "Snapshot Actions" menu, choose "Modify Snapshot Attributes."
- 6.Remove public access and restrict it to specific AWS accounts if needed.
- 7.Save the changes.
Using AWS CLI:
- 1.
Identify Public Snapshots: List all RDS snapshots and identify any with public access:
aws rds describe-db-snapshots --query 'DBSnapshots[?PubliclyAccessible==`true`].[DBSnapshotIdentifier]' --output text - 2.
Modify Snapshot Accessibility: Modify the accessibility of the public snapshot to private by using the following command:
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-identifier> --attribute-name restore --values-to-remove all
Replace
<snapshot-identifier>Compliance Validation
To ensure continuous compliance, implement the following practices:
Automate Compliance Checks: Utilize AWS Config rules to continuously monitor and identify publicly accessible snapshots.
Enable AWS Config Rule for RDS Public Snapshots: Here is an example CLI command to enable an AWS Config rule:
aws configservice put-config-rule --config-rule file://config-rule-for-rds-public-snapshots.jsonThe configuration file (
) would contain the necessary details for AWS Config to monitor RDS snapshot permissions.config-rule-for-rds-public-snapshots.jsonPeriodic Auditing: Conduct regular audits of snapshot permissions using AWS Identity and Access Management (IAM) and AWS CLI or SDKs.
By adhering to these steps, you will ensure that RDS snapshots remain private, which is required to maintain FedRAMP Low Revision 4 compliance. Additionally, always stay informed about the latest FedRAMP guidelines to ensure ongoing compliance.