Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures RDS snapshots do not allow public access to maintain data security.
| Rule | RDS snapshots should prohibit public access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
Rule Description:
This rule ensures that RDS snapshots in an AWS account are not publicly accessible. It specifically focuses on meeting the requirements set forth by FedRAMP (Federal Risk and Authorization Management Program) for systems categorized as "FedRAMP Low" in Revision 4.
Troubleshooting Steps:
- 1.Check the current status of the RDS snapshots in the AWS account.
- 2.Identify if any of the RDS snapshots are publicly accessible.
- 3.Determine if the account is required to comply with FedRAMP Low Revision 4.
Necessary Codes:
No specific codes are required for this rule, as it primarily involves configuration settings and access controls within the AWS account.
Step by Step Guide for Remediation:
1. Identify publicly accessible RDS snapshots:
To identify RDS snapshots that are publicly accessible, you can use the AWS Command Line Interface (CLI) by following these steps:
a. Install and configure AWS CLI:
- Install the AWS CLI by following the instructions provided in the AWS CLI user guide.
- Configure the AWS CLI with your AWS account credentials by executing
command and providing your Access Key ID, Secret Access Key, default region, and output format.aws configure
b. List all RDS snapshots and check their accessibility:
- Run the following command to list all RDS snapshots in your account:
aws rds describe-db-snapshots
- Review the output and check the "PubliclyAccessible" field for each snapshot. Snapshots with a value of "true" are publicly accessible.
2. Update RDS snapshot accessibility:
To remediate the issue and modify the accessibility of the RDS snapshots, follow these steps:
a. Identify the snapshots to modify:
- Based on the previous step, identify the RDS snapshots that have "PubliclyAccessible" set to "true".
b. Modify the snapshot accessibility:
- Run the following command to modify the accessibility of an RDS snapshot:
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-identifier> --no-publicly-accessible
Replace
<snapshot-identifier>- Repeat this command for each snapshot that needs to be updated.
Summary:
By following the troubleshooting steps and remediation guide provided above, you can ensure that RDS snapshots in your AWS account are not publicly accessible. This ensures compliance with the specified FedRAMP Low Revision 4 policy. Remember to regularly review and monitor the accessibility settings for your RDS snapshots to maintain compliance.