Rule: RDS Snapshots should prohibit public access
This rule ensures RDS snapshots do not allow public access to maintain data security.
| Rule | RDS snapshots should prohibit public access |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
RDS Snapshot Public Access - FedRAMP Moderate Revision 4
Description
RDS (Relational Database Service) Snapshots in AWS should prohibit public access to ensure compliance with the FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4 standard. This rule requires that the RDS snapshots are not accessible to unauthorized users or entities. By restricting public access to RDS snapshots, sensitive data stored within the database is safeguarded from potential security risks and breaches.
Troubleshooting Steps
If public access is detected or enabled for RDS snapshots, follow these troubleshooting steps to remediate the issue:
- 1.
Identify the affected RDS cluster: Determine the specific RDS cluster associated with the snapshots violating the rule.
- 2.
Verify snapshot access permissions: Check the current snapshot access permissions to identify any public access granted.
- 3.
Identify the source of public access: Determine how public access was granted to the snapshot(s). Review the network configuration, security groups, IAM roles, or any other relevant settings.
- 4.
Audit and review access policies: Examine the associated network and IAM policies to ensure that no unintended public access has been granted.
- 5.
Remove public access: Modify the associated policies and settings to remove public access permissions for the affected RDS snapshots.
Necessary Codes
In case you need to update the RDS snapshot access permissions, the following AWS CLI (Command Line Interface) command can be used:
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-id> --attribute-name restore --values-to-add <AWS_ACCOUNT_ID>
Step-by-Step Guide for Remediation
Follow the step-by-step guide to remediate the public access for RDS snapshots as per the FedRAMP Moderate Revision 4 standard:
- 1.
Identify the affected RDS cluster: Determine the specific RDS cluster and its associated snapshots that violate the rule.
- 2.
Verify snapshot access permissions: Check the current access permissions for each snapshot to identify any public access granted.
- 3.
Identify the source of public access: Investigate and determine how public access was granted to the snapshot. Review the network configuration, security groups, IAM roles, and any other relevant settings.
- 4.
Audit and review access policies: Carefully examine the associated network and IAM policies to ensure that no unintended public access has been granted. Modify the policies as necessary to restrict public access.
- 5.
Update snapshot access permissions: Use the AWS CLI command mentioned earlier to modify the snapshot attribute and exclude the AWS account ID from the list of values.
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-id> --attribute-name restore --values-to-add <AWS_ACCOUNT_ID>Replace
with the specific identifier of the affected snapshot and<snapshot-id>
with the correct AWS account ID.<AWS_ACCOUNT_ID> - 6.
Repeat for all affected snapshots: If multiple snapshots are violating the rule, repeat steps 5 and 6 for each of them to remove public access.
- 7.
Verify successful remediation: Once the necessary changes have been made, verify that public access has been successfully removed for all affected RDS snapshots.
By following these steps, you can ensure that RDS snapshots prohibit public access, aligning with the requirements of the FedRAMP Moderate Revision 4 standard and enhancing the overall security of the AWS infrastructure.